mHealth regulation, security, and privacy Who’s responsibility is it?

Mobile mHealth devices present prolific opportunities across the board. However, it could be just a matter of time before a public data breach that rocks the industry – such as a massive identity theft or large-scale insurance fraud, reports Arif Mohamed for M2M Now.

Arif Mohamed, freelance

As the market for mHealth devices grows, so will the potential threat. According to Juniper Research, in just five years there’ll be more than 100 million smart watches in use worldwide. Also, mHealth interfaces, like Apple’s HealthKit and Samsung’s SAMI, are forecast to help propel the global healthcare accessory market to US$3bn by 2019.

As an indicator, the US Food and Drug Administration (FDA) recently warned medical device manufacturers and healthcare
professionals to protect their equipment against ‘cyber-security vulnerabilities and incidents.’

Equipment includes network-connected pacemakers and defibrillators, the cybersabotage of which would have unimaginable
consequences. A more widespread concern is that health apps collect personal information that could be shared with third parties or, worse still, stolen by criminals.

Gareth Tolerton, chief technology officer, TotalMobile

This could lead to targeted advertising at best, or at worst: identity theft, declined insurance, or employment discrimination. A malicious attack could, in theory, reveal where the patient is located, plus their regular daily movements, how they feel, and even how and when to get into their house, one industry observer commented.

In the case of an mHealth data breach, the biggest casualty will be consumer trust. Gareth Tolerton, CTO at TotalMobile, a
provider of mHealth solutions, believes that “there will be a backlash.” He also said that consumers and medical practitioners need to feel confident that the technology is clinically certified and secure.

But where does the responsibility lie to secure mHealth apps, devices, assets, and users? Some commentators feel that the end user should be responsible for their own data usage. “If I’m using a device to capture my health data, it’s my choice. The consumer has a responsibility,” noted Tolerton.

User education

Mark Hall, public sector director, Redcentric

Mark Hall, public sector director at Redcentric, agrees. Redcentric is a cloud service provider to N3, the UK National Health Service’s secure network. Hall said: “Since mHealth is concerned with the use of mobile to deliver health services, security lapses tend to occur due to user indifference or lack of education. It’s here that security is at its weakest

“Users need to understand the potential risk to their data however their chosen application providers transmit it; how they process it, and where it goes. Users also need to ensure that they educate themselves on how data can be easily shared in error using new applications and services such as Apple HealthKit,” he added.

Other experts believe the app and device makers are the ones most responsible for customer data security. Paco Hope, principal

Paco Hope, principal consultant, Cigital

consultant at app security firm Cigital, said: “The responsibility lies squarely with software makers. If they do not build a feature or a security control, the user cannot do it themselves.”

“The right answer is to give users clearly explained controls that cannot be overridden by the apps or the firms,” said Hope. He recommends securing data in transit using Transport Layer Security encryption correctly. “No
one suffers if data is encrypted unnecessarily. There is always risk that unencrypted data can be used in ways we didn’t anticipate when we decided not to encrypt it.”

Regulation control

Catalin Cosoi, chief security strategist, Bitdefender
Catalin Cosoi, chief security strategist, Bitdefender

Data encryption certainly lies within the scope of the app, device or network service provider, rather than the end user. However, experts agree that action is needed at all levels to mitigate the risk of a data breach. Catalin Cosoi, chief security strategist at Bitdefender, said that businesses, app developers, security vendors, privacy regulators, healthcare organisations, and patients should be working together to assess risks, prevent healthcare data loss, meet legal requirements, and secure IT infrastructures.

Cosoi added that privacy regulators need to play their part in creating new laws with tougher penalties for data loss incidents to
ensure compliance by hospitals and healthcare organisations.

The main security threats will come at the point where the devices and apps offload the data they collect to a smartphone, via a
Bluetooth or WiFi connection, Cosoi said. “This makes them vulnerable to identity theft, unintentional data leaks, traffic sniffing and man-in-the-middle attacks.”

End-to-end data encryption is the answer, securing data during transmission, with proper authentication and encryption protocols at both ends of a communication channel.

Data policy

Steve Hegenderfer,
director of developer
programs,Bluetooth SIG

Regarding Bluetooth, Steve Hegenderfer is director of developer programs at Bluetooth SIG – the body responsible for developing the wireless standard. He said that the connectivity technologies used in mHealth Bluetooth have all the tools to build a very secure solution. “For example, any actual personal data being sent by a Bluetooth Smart-enabled device uses AES-128 CCM cryptography to provide strong encryption and authentication of data packets.”

Hegenderfer argues that the issue is more one of data policy, and cited Apple recently posting privacy policy rules for developers working with its HealthKit platform.

“These rules, which ban developers from selling data obtained from apps within the platform to third parties, prove that Apple is trying to proactively change the conversation and get out ahead of this,” said Hegenderfer. He added that other major players such as FitBit are now doing this as well from a ‘health & wellness’ device perspective.

Setting the right policies is a step forward, but the question remains as to whether mHealth devices will come under the ruling of national and federal bodies, such as the US Federal Trade Commission. But

Tushar Bhatnagar, project manager,
Tech Mahindra

Hegenderfer also noted that: “Too much regulation however, can potentially stunt the growth of this industry. mHealth can provide consumers with so much value that it would be a waste for it to be legislated away.”

Two industry bodies that can help with mHealth data security standards and best practices are Workgroup for Electronic Data Exchange (WEDI), and the Healthcare Enterprise (IHE), suggested Tushar Bhatnagar, project manager, Digital Healthcare Solutions at IT services firm Tech Mahindra.

He commented: “The healthcare industry is witnessing an explosion in mobile based healthcare applications. Clinicians are using smart devices for monitoring patient data but unlike other industries, such as banking, the standards are yet to be embraced across the industry.”

It’s uncertain whether or not the industry will be able to avoid a headline-grabbing mHealth data breach. Yet, with the right security, data standards, policies and end-user practices in place, we can but try.


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

OCF celebrates pulse systems’ installation of newly certified IoT platform for smart lighting

Posted on: December 6, 2021

The Open Connectivity Foundation (OCF) has announced the first installation of the recently-certified low power IoT platform, from OCF member Cascoda, that combines the end-to-end security benefits of OCF and the low power, wide-area coverage advantages of Thread.

Read more

Green Custard Ltd develop robust predictive maintenance system for Martin Engineering Ltd

Posted on: December 6, 2021

Green Custard Ltd, a professional services company and AWS Advanced Consulting partner, together with Eseye Ltd (also an AWS partner) has been selected by Martin Engineering Ltd to build a global predictive maintenance and monitoring platform on AWS so their localised US platform can be rolled out internationally.

Read more