Mobile applications are capturing the healthcare industry's attention as one of the most exciting frontiers for new progress in patient care. Yet while mobile health app adoption is expected to increase dramatically in the next few years – industry estimates project that 500 million people will be using mobile health apps by 2015 – there are significant software security concerns. Experts note that federal regulations do not currently govern many aspects of the mobile health sphere. As a result, developers may need to apply internal pressure to ensure security standards are met as they seek broader buy-in for their technologies.
A series of papers published in the journal Health Affairs recently drew attention to some of the privacy and security challenges facing mobile health applications. Broadly speaking, these apps introduce risk in that they transmit sensitive information over a network. Communications via telehealth services are not regulated by the Health Insurance Portability and Accountability Act, researchers noted.
"Although we are unaware of direct harm to patients associated with a security flaw in a telehealth system, there have been academic demonstrations of such problems," researchers Joseph Hall and Deven McGraw wrote in one Health Affairs paper.
Legal and regulatory tangles
One of the major issues is that consumers who use mobile apps in a non-healthcare setting are not covered entities under HIPAA regulations, MedPage Today's David Pittman explained, summarizing another Health Affairs paper. As a result, depending on the circumstances, a mobile health app vendor wouldn't necessarily have to disclose a security breach under current HITECH Act regulations. He noted that consumer device software may contain security flaws and could be a tempting target for hackers, making this regulatory hole a notable problem.
Additionally, patient information handed over to private health apps may not be subject to the protections of the Computer Fraud and Abuse Act of 1986 or the Electronic Communications Privacy Act of 1986, which are designed to prohibit the unauthorized interception of digital information, another Health Affairs article written by Tony Yang and Ross D. Silverman noted. Additionally, liability related to malpractice in scenarios relating to mobile health app data is unclear.
"[T]here is no agreement as to what a doctor's liability would be if he or she injured a patient as the result of faulty or inaccurate information supplied by the patient," Yang wrote.
While researchers urge expanded regulation and greater legal clarity surrounding software security and privacy for mobile health apps, developers may want to be proactive in their implementation of better security practices. Mobile health tools are facilitating homer and remote medical care across a broader swath of people, but buy-in could remain a challenge if the space is seen as unsafe or poorly regulated. While legal discourse is just beginning to emerge in this area, on a software development level the mandate is already clear: Using tools like static analysis software as part of a secure development lifecycle can help avoid the risks endemic to mobile and telehealth applications. Furthermore, such tools can guide developers through FDA standards and compliance as more of a legal framework is introduced.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.