Business of Medicine
Health Apps: Convenience vs. Security Risks
By Christopher E. Hoyme on May 9, 2018
May 31, 2018
The pace of innovation in healthcare today has produced an amazing increase in the number of available mobile apps for health-related information. More than 300,000 healthcare apps are available online. These apps are developed and designed to fit within the “connected health model” which attempts to provide flexible and efficient healthcare services by using connected technology that offers better communication, access and diagnostic capabilities. Many healthcare professionals use mobile apps for immediate communication with their patients and more responsive healthcare management. In a nutshell, there is a “mad dash” to address the demand of providing more “real time” health data. In response to this innovation, the question then becomes whether healthcare providers can tap into the available technology of “connectivity” and still protect health and personally identifiable information.
The U.S government has acknowledged the dilemma associated with medical apps and devices, when attempting to balance innovation with privacy and security. The Food and Drug Administration (FDA) over the past several years has instituted various initiatives to protect the public health from cybersecurity vulnerabilities of medical apps and devices. In particular, in late 2016 the FDA released final guidance, “Postmarket Management of Cybersecurity in Medical Devices,” which has been followed up with webinars and workshops to assist the public in guideline implementation. The FDA has also recently released its Medical Device Safety Action Plan which outlines the FDA’s plan to balance the security concerns associated with medical devices while still promoting innovation in this important field. In addition, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, 45 C.F.R. §§ 164.302 – 318, requires covered entities to conduct a security risk assessment on medical devices and apps that contain electronic protected health information (ePHI) to determine cybersecurity vulnerabilities and deal with such as appropriate.
A recent study conducted by the University of Piraeus published in the Institute of Electrical and Electronics Engineering Access Journal indicates that many popular mobile health apps fall down when it comes to adequate privacy and cyber security protections. Many of these apps do not follow standard practices or do not comply with the impending General Data Protection Regulation (GDPR). Consequently, the privacy risk to millions of healthcare consumers and related healthcare institutions is significant.
The comprehensive study analyzed 20 mobile health apps from the top 1,080 of the medical and health and fitness sections of the Google Play Store. To qualify for the study each had to be in English, have at least 100,000 downloads, and be free.
Researchers identified a large number of potential security flaws including unsecure programming practices, lack of protection of sensitive data transmission and lack of adequate encryption for protection of this data. Oftentimes, the apps were not in compliance with GDPR requirements, including the requirement to obtain data subject to consent and the right to withdraw consent. The study indicated that a significant percentage of available health apps do not adequately protect confidential information. Consequently, it is recommended that healthcare providers establish a detailed compliance protocol requiring strict self-assessment before integrating with any mobile apps. All healthcare providers considering using apps need to strongly evaluate security protections prior to allowing mobile health apps to access medical information. The cost of evaluating security risks and identifying proactive solutions may be significant. Consequently, the cost to insure privacy protection could significantly limit the type and number of mobile apps that should be “connected.” The bottom line takeaway for market competitive healthcare providers is clearly to be proactive and to engage in a “deep dive” audit practice before allowing protected medical information to become at risk through the use of unvetted apps.
 Institute of Electrical and Electronics Engineering Access Journal. January 29, 2018.
Article provided by the Jackson Lewis law firm.
The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.