mHealth regulation, security, and privacy Who’s responsibility is it?

Mobile mHealth devices present prolific opportunities across the board. However, it could be just a matter of time before a public data breach that rocks the industry – such as a massive identity theft or large-scale insurance fraud, reports Arif Mohamed for M2M Now.

Arif Mohamed, freelance

As the market for mHealth devices grows, so will the potential threat. According to Juniper Research, in just five years there’ll be more than 100 million smart watches in use worldwide. Also, mHealth interfaces, like Apple’s HealthKit and Samsung’s SAMI, are forecast to help propel the global healthcare accessory market to US$3bn by 2019.

As an indicator, the US Food and Drug Administration (FDA) recently warned medical device manufacturers and healthcare
professionals to protect their equipment against ‘cyber-security vulnerabilities and incidents.’

Equipment includes network-connected pacemakers and defibrillators, the cybersabotage of which would have unimaginable
consequences. A more widespread concern is that health apps collect personal information that could be shared with third parties or, worse still, stolen by criminals.

Gareth Tolerton, chief technology officer, TotalMobile

This could lead to targeted advertising at best, or at worst: identity theft, declined insurance, or employment discrimination. A malicious attack could, in theory, reveal where the patient is located, plus their regular daily movements, how they feel, and even how and when to get into their house, one industry observer commented.

In the case of an mHealth data breach, the biggest casualty will be consumer trust. Gareth Tolerton, CTO at TotalMobile, a
provider of mHealth solutions, believes that “there will be a backlash.” He also said that consumers and medical practitioners need to feel confident that the technology is clinically certified and secure.

But where does the responsibility lie to secure mHealth apps, devices, assets, and users? Some commentators feel that the end user should be responsible for their own data usage. “If I’m using a device to capture my health data, it’s my choice. The consumer has a responsibility,” noted Tolerton.

User education

Mark Hall, public sector director, Redcentric

Mark Hall, public sector director at Redcentric, agrees. Redcentric is a cloud service provider to N3, the UK National Health Service’s secure network. Hall said: “Since mHealth is concerned with the use of mobile to deliver health services, security lapses tend to occur due to user indifference or lack of education. It’s here that security is at its weakest

“Users need to understand the potential risk to their data however their chosen application providers transmit it; how they process it, and where it goes. Users also need to ensure that they educate themselves on how data can be easily shared in error using new applications and services such as Apple HealthKit,” he added.

Other experts believe the app and device makers are the ones most responsible for customer data security. Paco Hope, principal

Paco Hope, principal consultant, Cigital

consultant at app security firm Cigital, said: “The responsibility lies squarely with software makers. If they do not build a feature or a security control, the user cannot do it themselves.”

“The right answer is to give users clearly explained controls that cannot be overridden by the apps or the firms,” said Hope. He recommends securing data in transit using Transport Layer Security encryption correctly. “No
one suffers if data is encrypted unnecessarily. There is always risk that unencrypted data can be used in ways we didn’t anticipate when we decided not to encrypt it.”

Regulation control

Catalin Cosoi, chief security strategist, Bitdefender
Catalin Cosoi, chief security strategist, Bitdefender

Data encryption certainly lies within the scope of the app, device or network service provider, rather than the end user. However, experts agree that action is needed at all levels to mitigate the risk of a data breach. Catalin Cosoi, chief security strategist at Bitdefender, said that businesses, app developers, security vendors, privacy regulators, healthcare organisations, and patients should be working together to assess risks, prevent healthcare data loss, meet legal requirements, and secure IT infrastructures.

Cosoi added that privacy regulators need to play their part in creating new laws with tougher penalties for data loss incidents to
ensure compliance by hospitals and healthcare organisations.

The main security threats will come at the point where the devices and apps offload the data they collect to a smartphone, via a
Bluetooth or WiFi connection, Cosoi said. “This makes them vulnerable to identity theft, unintentional data leaks, traffic sniffing and man-in-the-middle attacks.”

End-to-end data encryption is the answer, securing data during transmission, with proper authentication and encryption protocols at both ends of a communication channel.

Data policy

Steve Hegenderfer,
director of developer
programs,Bluetooth SIG

Regarding Bluetooth, Steve Hegenderfer is director of developer programs at Bluetooth SIG – the body responsible for developing the wireless standard. He said that the connectivity technologies used in mHealth Bluetooth have all the tools to build a very secure solution. “For example, any actual personal data being sent by a Bluetooth Smart-enabled device uses AES-128 CCM cryptography to provide strong encryption and authentication of data packets.”

Hegenderfer argues that the issue is more one of data policy, and cited Apple recently posting privacy policy rules for developers working with its HealthKit platform.

“These rules, which ban developers from selling data obtained from apps within the platform to third parties, prove that Apple is trying to proactively change the conversation and get out ahead of this,” said Hegenderfer. He added that other major players such as FitBit are now doing this as well from a ‘health & wellness’ device perspective.

Setting the right policies is a step forward, but the question remains as to whether mHealth devices will come under the ruling of national and federal bodies, such as the US Federal Trade Commission. But

Tushar Bhatnagar, project manager,
Tech Mahindra

Hegenderfer also noted that: “Too much regulation however, can potentially stunt the growth of this industry. mHealth can provide consumers with so much value that it would be a waste for it to be legislated away.”

Two industry bodies that can help with mHealth data security standards and best practices are Workgroup for Electronic Data Exchange (WEDI), and the Healthcare Enterprise (IHE), suggested Tushar Bhatnagar, project manager, Digital Healthcare Solutions at IT services firm Tech Mahindra.

He commented: “The healthcare industry is witnessing an explosion in mobile based healthcare applications. Clinicians are using smart devices for monitoring patient data but unlike other industries, such as banking, the standards are yet to be embraced across the industry.”

It’s uncertain whether or not the industry will be able to avoid a headline-grabbing mHealth data breach. Yet, with the right security, data standards, policies and end-user practices in place, we can but try.

Recent Articles

Accelerating digital transformation for a greener future

Posted on: May 13, 2021

As countries and economies prepare to come out of the pandemic, the way we run businesses will never be the same again, says Bhushan Patil, SVP EMEA, Tech Mahindra.

Read more

Trust platform design suite speeds embedded security implementations

Posted on: May 13, 2021

In 2019, Microchip Technology released its Trust Platform for its CryptoAuthenticationfamily, bringing the pre-provisioned solutions for hardware-based secure elements to companies of all sizes that want an easy way to implement secure authentication.

Read more