Privacy and Regulation in the Age of mHealth and Wearables

iStock-601391472.jpg

mHealth may be the future of healthcare, but how do doctors and developers ensure that patients’ medical data remains private and secure?

If you didn’t get a Fitbit for Christmas last year, chances are that you know someone who did. Low-risk devices like wearables have become increasingly popular among consumers over the last five years as they assert more agency over their own health maintenance and treatment plans.

Doctors and other medical professionals are beginning to see the benefits of mobile medical devices — commonly referred to as mHealth — and many of them anticipate promising applications for these emerging technologies. But mHealth devices, especially wearables, present a number of privacy and security challenges that must be addressed before the technology can be used to gather diagnostic information or clinical trial data.

Privacy Issues

A medical device is any device or linked mobile app that claims to diagnose, treat, prevent, or monitor disease and injury under a doctor’s supervision. These devices are subject to special regulations before they can be used on consumers. On the other hand, low-risk devices like wearables don’t need that kind of approval, since doctors aren’t making medical decisions based on the information they provide.

But as device technology advances and the lines between wearables and medical devices become blurrier, manufacturers and medical organizations must consider the substantial privacy and security issues that mHealth presents, which include:

Data Collection and Transfer

The first line of defense in mHealth privacy and security occurs at the point of data collection. Who owns the data that’s being collected and who has access to it? Given that this is medical information, security and sharing protocols should be as stringent as they would be for any other type of medical records.

Personal Accounts

All users must be able to access their own health information on both medical and low-risk devices. How do developers keep that information secure? What measures can they implement to minimize incidental release of private information?

Unsecured Devices and Applications

Does the medical or low-risk device interface with unsecured devices or apps? How do we protect medical information from security breaches in those cases or — how do we limit the kinds of technology that a given device can link to?

Third-Party Agreements

Has the device or app developer implemented any third-party agreements? What are the conditions of those agreements, especially in regards to privacy?

Reliability

Is the health data being used in a clinical trial? Can you consider data from low-risk devices reliable?

Preparing for Privacy Issues

Mainstream use of mHealth is still a long ways off, but by raising awareness of these privacy issues now, device manufacturers and medical professionals can set best practices for the technologies going forward. The FDA has already begun this effort, producing a Digital Health Action Plan that details its processes for evaluating and approving mHealth and other new digital medical tech. The agency has also collaborated with experts at the Duke-Margolis Center for Health Policy to create a detailed mHealth directive, which emphasizes robust data collection and patient centricity.

In the meantime, manufacturers and developers can adhere to established best practices for mobile security, including using cloud software from a trusted, large-scale provider and employing two-factor authentication where possible. They can also create separate, secured mobile gateways to control access outside a workplace or test site, evaluated by regular audits and other testing. By establishing good privacy and security practices now, medical organizations can prepare themselves for mHealth’s future.

Medical Marketing Guide: Google Advertising