The “connected health model” offers flexible and efficient healthcare services by using connected technology to link communication, access and diagnostic capabilities. In fact, there has been an explosion in the number of mobile apps for health-related information with over 300,000 healthcare apps now available online and growing almost daily. “In a nutshell, there is a mad dash to address the demand of providing more real time health data. In response to this innovation, the question then becomes whether healthcare providers can tap into the available technology of “connectivity” and still protect health and personally identifiable information,” according to the report, Workplace Privacy Data management and Security Report.
The question that is arising, “is enough being done to protect the privacy of patient information even as technology contributes to patient wellness. The government has responded by issuing some guidelines. The Food and Drug Administration believes that public health may actually be at risk by some vulnerabilities to medical apps. It issued “Postmarket Management of Cybersecurity in Medical Devices.” It has come out with numerous guidelines, and webinars. And FDA reminds healthcare pros they need to comply with the Health Insurance Portability and Accountability Act(HIPAA) Security Rule, 45 C.F.R. §§ 164.302 – 318. It requires covered entities to conduct a Security Risk Assessment (SDA) on medical devices and apps that contain electronic protected health information to determine cybersecurity vulnerabilities and deal with such as appropriate.
The Workplace Privacy report also cites another study, by the University of Piraeus in the Institute of Electrical and Electronics Engineering Access Journal (29 January 2018) that demonstrates how many popular mobile health apps don’t do enough to provide adequate privacy and cyber security protections. The comprehensive study analyzed 20 mobile health apps from the top 1,080 of the medical and health and fitness sections of the Google Play Store. To qualify for the study each had to be in English, have at least 100,000 downloads, and be free.
The study noted that there are numerous major and minor shortcomings of medical health applications. It pointed out: “A large portion of the assessed apps has been found to jeopardize user’s privacy and security by violating sensitive data protection regulations set to prevent the inappropriate and uncontrollable usage, processing and disclosure of health data to third parties. According to our analysis, a relevant number of popular m-health apps could violate users’ privacy by revealing sensitive information such as health conditions, medical symptoms, photos, location, e-mails and passwords.” Specifically, what are the security flaws that trouble health care experts, the security profession and government? Among them:
• lack of protection of sensitive data transmission,
• lack of adequate encryption for protection of this data,
• noncompliance with GDPR requirements, including the requirement to obtain data subject to consent and the right to withdraw consent and
• inadequate protection of confidential information.
The Workplace Privacy report recommends that health care providers draw up a detailed compliance protocol requiring strict “self-assessment” before integrating with any mobile apps. That can be a tall order but could help shield organizations from legal action down the road. The report warns, “all healthcare providers considering using apps need to strongly evaluate security protections prior to allowing mobile health apps to access medical information.”
It concedes that there may be substantial costs associated with evaluating security risks and coming up with solutions. “Consequently, the cost to insure privacy protection could significantly limit the type and number of mobile apps that should be “connected.”