Mobile apps and devices are playing a big part in the innovation revolution sweeping healthcare around the globe. Mobile devices including smartphones, tablets, wearables, and implantables, are supplanting workstations and laptops as the primary interfaces between users and their technology. Apps tailored to the specific needs of health care providers and consumers are revolutionizing clinical and business practices and engaging consumers in the real-time management of their health and healthcare.
Mobile apps and devices are fast becoming critical components of our health information infrastructures. They are at the front-end of our hospital and ambulatory care information systems. They enable remote monitoring from the patient’s home or from the jogging trail. They allow patients to connect directly to their health care providers.
It’s estimated that more than 165,000 health and wellness apps are available for download from the Apple and Android stores. There is no vetting of these apps from a privacy and security point of view. Regulators in Canada and the United states are overwhelmed with the challenge of ensuring that PHI is appropriately protected and managed.
In April, 2016, privacy commissioners from around the world, including our federal commissioner and several provincial commissioners, took part in a privacy “sweep” conducted by the Global Privacy Enforcement Network (GPEN). The GPEN sweep looked at hundreds of IoT devices, including many health apps and devices, for basic privacy functionality. The sweep assessed fitness trackers, smart watches, smart scales, blood pressure monitors and an array of other Internet connected devices that could track everything from sleep habits to one’s blood alcohol levels.
Based on the sweep, the federal privacy commissioner concluded, “The privacy communications of Internet-connected devices are generally poor and fail to inform users about exactly what personal information is being collected and how it will be used.” He went on to state, “With the proliferation of the Internet of Things, the activities, movements, behaviours and preferences of individuals are being measured, recorded and analyzed on an increasingly regular basis. As this technology expands, it is imperative that companies do a better job of explaining their personal information handling practices.”
For governments and health care organizations, mobile apps pose serious challenges. The utility of mobile apps for health care providers and consumers will be greatly enhanced when we allow access to our health information infrastructures, registries and repositories. However, the risk of enabling thousands of unsecured apps to access and contribute data to established health information repositories is high. Never mind backdoors to our systems. Thousands of tiny front doors will be wide open.
But there’s good news. Mobile apps can be private and secure. I know this because I can securely access my bank account from my smartphone. There is a growing body of knowledge to help app developers build privacy and security into their products and services.
There are two essential references I would recommend to mobile app developers. The first is Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps published jointly be the offices of the Privacy Commissioner of Canada, the Information and Privacy Commissioner of Alberta and the Information and Privacy Commissioner of British Columbia. This guide takes the view that privacy should be a feature hardcoded into the app, and valued by customers for competitive advantage. It addresses issues such as data minimization, meaningful consent and user notice.
The second reference is Privacy and Security Requirements and Considerations for Digital Health Solutions published by Canada Health Infoway. This comprehensive guide addresses the privacy and security of mobile devices, remote patient monitoring, cloud computing and other emerging technologies. Based on existing and emerging international standards, this guide can also help app developers who plan to market their products and services in the United States and other countries.
These references are helpful not only to app developers, but also to healthcare organizations buying mobile apps. They assist in defining requirements that can be included in RFPs and other procurement processes.
Here are some essential privacy and security features that should be built into every mobile app:
Identified Purposes: App developers must identify the exact purposes for which information is collected, used and disclosed, must be open and transparent to users about those purposes. They must ensure that the information is not used for any other purpose.
Meaningful Consent: Every app must have a way of capturing meaningful consent (i.e. not a long multipage, legalistic form with an “I agree” button at the end). The consent should be written in plain language and completed before any personal information is collected.
Data Minimization: The app should only collect, use and disclose the minimum amount of data needed for the identified purposes. Features such as cameras, voice recorders and location trackers should be disabled unless they are needed for the identified purpose.
Data Encryption: All personal information associated with the app should be encrypted at all times using a strong encryption algorithm. This includes data at rest in the device and any backend system and database, and data in transit.
Access Control: Rigorous access control processes must be in place to manage access to the app and associated data. This includes end-user roles (i.e. customers/patients) and admin roles (i.e. app developer support personnel).
Identification and Authentication: Robust identification and authentication methods must be applied. This might include strong passwords and two-factor authentication where appropriate.
Monitoring and Audit – Audit-logging capability must be built into the app to track access to personal information and to enable detection, investigation and response to privacy breaches.
Enable on-device security controls: Many mobile devices have onboard security features that can be configured and deployed to protect personal information. This includes passwords, auto lock after a period of inactivity, remote wipe and remote device locator.
Mobile apps and devices have the potential to significantly improve the management of health and healthcare. Privacy and security can be critical enablers of innovation and quality in mobile apps and devices.