mHealth - Snoops out!

Written by Dr Juanita Fernando on .

This article first appeared in the May 2013 edition of Pulse+IT Magazine.
mHealth is a powerful and increasingly pervasive tool for healthcare professionals, but a lack of knowledge about security, privacy and the proper use of the technologies involved is a serious threat to the wider potential of mHealth for clinical care. Information systems, standards and regulatory processes, supported by full legislative backing, are urgently required to keep out the snoops.

Emerging evidence shows breaches of private mHealth information occur across a range of clinical professions. For example, the BBC-News of the World phone hacking scandal in 2006-07 saw a myriad of health information across the globe compromised; in at least one case, the UK High Court awarded an affected litigant £600,000.[1]

mHealth breaches are not limited to hacking though. Other threats, often inadvertent, manifest as medical photography or film files stored on a personal mobile device (PMD), images and text posted on social media websites or loss of a mobile device storing patient data.[2], [3], [4]

The impact of these events sometimes creates scandals that trigger community doubt about mHealth, damaging an ostensibly useful eHealth practice tool. Clinicians and their patients must be able to protect themselves against snooping, whether deliberate or inadvertent.

A recent World Health Organisation (WHO) survey showed that mHealth applications can assist clinicians in a variety of ways, including the facilitation of access to health support services even when the patient is located in geographically distant or remote areas with a lack of infrastructure.[5] Other plausible benefits of mHealth include SMS alerts and monitoring systems, recruitment for clinical trials and other research, store and forward patient care data and mobile access to evidence-based practice tools. mHealth is an important adjunct to patient diagnosis and management processes.

mHealth tools are not simply pervasive across contemporary clinical care; many graduating clinicians also plan to use them for practice.[6] Yet many researchers and clinicians claim the tools are not subject to scrutiny or assessment in the same way as other areas of health practice. Rigorous evaluation of mobile applications for diagnosis or access to evidence-based practice remains scarce as very few high quality studies are published in this domain and a legislative vacuum seems to exist in Australia.

However, the Therapeutic Goods Administration (TGA) is reported to have claimed medical device software for therapeutic purposes is already regulated in Australia, and smartphone applications fall within this framework.[7] While I am unable to locate any publicly available evidence in support of the claim, clearly there is consensus about the need for regulatory support of therapeutic mHealth applications.

Security and privacy

Despite the TGA claim, personal accounts from clinicians indicate that local information system managers do not permit mobile devices, especially PMDs, to be connected to a hospital network, which is at least partly due to their inability to control the devices, fostering potential exposure to medico-legal claims of privacy breach. Medical indemnity insurers and the Australian Computer Emergency Response Team (AusCERT) have also warned clinicians about participation in mHealth systems for similar reasons.

The Australian Medical Association (AMA), as with other professional organisations, has published a guide to support clinical confidence about professional behaviours in mHealth.[8] Professional medico-legal and advisory services frequently direct concerned physicians to Royal Australian College of General Practitioners (RACGP)and other guidelines on privacy and security standards.[9] Belief that mHealth initiatives are just technology projects demonstrates a limited conceptual understanding of the matter.[10]

Many mobile devices already offer basic and easily used password software applications to protect the privacy of stored information. Basic password protection on mobile devices is a security-related issue underpinning privacy. Mobile device passwords are vital because over time, the devices tend to accrue sensitive information through access to wireless services and organisational intranets. They can be mislaid, lost or stolen, thereby exposing data to unauthorised people. Yet basic password protections are often unused by clinicians so information stored on a mobile device is available to anyone who possesses it.[4] The lack of clinicians with a conceptual understanding of mHealth security and privacy tools exacerbates medico-legal threats, risking further scandals and limitations to the potential benefits mHealth tools offer for patient care.[11]

Regulations and standards

Regulation and guidelines about privacy-enhanced use of PMDs and other mobile devices in the health workplace can usefully mirror those applied to the business sector. A recent submission by the Medical Technology Association of Australia (MTAA) recommends the regulation of medical applications on PMDs and other mobile devices that are intended by the developer to cure, treat, monitor or diagnose a medical condition.[12]

Both the business and health sectors can come together to address medico-legal and privacy concerns that currently limit physician and patient confidence in mobile devices globally.

Preliminary analysis of the evidence suggests that clinicians generally overlook or are unaware of support resources provided by professional associations and other organisations. For instance, a medical application evaluation site on the internet offers peer review of many applications for clinicians.[13] Emerging peer-reviewed publications also offer practical support for clinicians.[4-5], [8], [14]

Other work is taking place to enable configurations that disassociate personal data from work data.[15] However, this mosaic of resources is scattered and not easily located by time-poor clinicians. A unified list of these resources, supported by hypertext links, could be a useful way to begin protecting clinicians and their patients from the consequences of mHealth privacy breach.

Evidence shows breaches of private mHealth information regularly occur across a range of devices. The pace of snooping scandals reported in the mass media and through health regulatory boards has increased as mHealth tools become entrenched in everyday practice.

Various health privacy scandals trigger considerable doubt about the ability of clinicians to self-regulate the use of mHealth tools in a way that protects themselves or the public.

The impact of these scandals is likely to dampen community confidence in the application of digitised clinical records and so hampering enrolments in the local PCEHR for patient care. Mobile device information systems, standards and regulatory processes, supported by full legislative backing, are urgently required to ensure snoops cannot threaten the application of these devices in support of patient care.

References

  1. BBC © 2013. Q&A: News of the World phone-hacking scandal August 4, 2012. Online: http://www.bbc.co.uk/news/uk-11195407
  2. Burns, K. & Belton, S. “Click first, care second” photography. Med J Aust 2012; 197 (5): 265.
  3. Impacted nurse. The impacted nurse (blog) 2011 http://www.impactednurse.com/?p=3114
  4. Jansen, W. & Scarfone, K. Guidelines on cell phone and PDA security. – National Institute of Standards and technology, US Dept. of Commerce; Special Publication, 2008. http://nuancet.eu/wp-content/uploads/2011/11/NIST-Guidelines-on-Cell-Phone-and-PDA-Security.pdf
  5. Fernando, J. Clinical software on personal mobile devices needs regulation. Med J Aust 2012; 196 (7): :437
  6. Koehler, N., Yao, K.. Vukovic, O. & McMenamin, C. Medical students’ use of and attitudes toward medical applications. Journal of Mobile Technology in Medicine 2012; 1:4:16-21.
  7. eHealthspace.org TGA joins mobile smartphone trend. eHealthSpace 2011 ; 27 July 2011: http://ehealthspace.org/news/tga-joins-global-smartphone-health-trend
  8. Australian Medical Association (AMA). Be careful about what you say and how you say it. https://ama.com.au/be-careful-about-what-you-say-and-how-you-say-it
  9. Royal Australian College of General Practitioners (RACGP) Telehealth (webpage on the internet) http://www.racgp.org.au/your-practice/e-health/telehealth/
  10. Williams, P & Schaper, L. A complex intervention in a complex system. Pulse+IT 2013; 34: 36-37
  11. Borycki, E., Joe, R., Armstrong, B., Bellwood, P. Campbell, R. Educating health professionals about the Electronic Health Record (EHR): Removing the barriers to adoption. Knowledge Management & E-Learning: An International Journal, (3): 1: 51
  12. Medical Technology Association of Australia (MTAA). App purchases by Australian consumers on mobile and handheld devices. MTAA January 2013. Online: http://www.mtaa.org.au/docs/submissions/mtaa-submission-to-ccaac-on-app-purchases-by-australian-consumers-on-mobile-and-handheld-devices-jan-2013.pdf?sfvrsn=0
  13. Hussain, I., Misra, S., Wodajo, F, Schultz, C., Lewis, T., Aungst, T. iMedicalApps http://www.imedicalapps.com/about/
  14. Perera, C. Principles of security for the use of mobile technology. J of Mobile Tech in Med 2012; 1(2);5-7
  15. Smalley, S. Middleware MAC for Android. Linux Security Summit 2012, San Diego, CA, USA; 30-31 August.

Author Details

Dr Juanita Fernando
FACHI, PhD, MA, BA, Grad Cert Bus Sys
This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Dr Juanita Fernando is the academic convenor of the BMedSC(Hons) with the Faculty of Medicine, Nursing & Health Sciences at Monash University and the chair of the health privacy sub-committee of the Australian Privacy Foundation (APF).

Would you like to receive articles like this one delivered straight to your email inbox each week?

Currently Pulse+IT eNewsletter subscribers are keeping up to date with the latest Australasian eHealth and Health IT developments using this free service. Click here to join now!
Pulse+IT has a free iOS app available for download from the App Store, which allows readers to browse all recent editions of Pulse+IT magazine.

Comments  

 
#1 Dr No 2013-06-14 13:21
Excellent article Juanita!
Would be great to see some examples of TGA approved mhealth apps. In many ways comparing the greater medical device world with mhealth apps and expecting they can be treated / approved the same way doesn't sit too well with me. End of the day though if they are actually recognising, scrutinising and approving the apps - that's the main thing (are they?!).
I also particualrly agree with Practitioner education / raising awareness of related security issues. We should also mention importance of strict enforced policy on BYOD type of situations within healthcare organisaitons / facilities.
 
 
#2 A/prof Terry Hannan 2013-06-14 14:47
In support of Juanita and her excellent comments these are recent publications.
The PLOS Medicine Editors (2013) A Reality Checkpoint for Mobile Health: Three Challenges to Overcome. PLoS Med 10(2): e1001395. doi:10.1371/journal.pmed.1001395
Tomlinson M, Rotheram-Borus MJ, Swartz L, Tsai AC (2013) Scaling Up mHealth: Where Is the Evidence? PLoS Med 10(2): e1001382. doi:10.1371/jou rnal.pmed.10013 82
 
 
#3 Dan Rhon 2013-06-14 16:35
Another resource for peer review of medical app:
Medical App Journal
www.MedicalAppJournal.com
 
 
#4 Vadim Peretokin 2013-06-16 09:27
Good smartphones these days offer complete data encryption - something that in combination with a password, at least makes the data on the device be unaccessible/us eless if it is stolen. Here's a guide for Android if anyone is interested: https://support.google.com/android/bin/answer.py?hl=en&answer=1663755 (and please be if you are storing sensitive information / browsing intranets on it! Your phone does remember data).
 
Viagra Coupons