WASHINGTON—That handy health app on your phone—the one with access to your medical history, your doctor’s name, even your home address—may be vulnerable to hackers. Technology experts discussed the risks at a House hearing July 14 with the Energy and Commerce subcommittee.
The fast growth of information technologies in the health care sector has outpaced the industry’s efforts to safeguard them. A report by IMS Health, a research and service provider for health care professionals, showed that more than 165,000 mobile health (or mHealth) apps were available in 2013. Many of the apps offer access to users’ electronic health records from doctors or hospitals.
Hackers particularly love the kind of medical information stored in health apps because it’s harder to change. A stolen credit card number can be cancelled, but medical histories, and the home addresses and Social Security numbers that often go into medical records—these things are hard to change and can therefore be sold for a higher price on the black market.
Few privacy policies and no regulation
Health apps are popular, but not very private. One-fifth of mobile devices in the United States have a health app installed. A study in the March issue of the Journal of the American Medical Association in March, however, showed that of 271 apps studied, 81 percent did not have privacy policies. Of the 19 percent (41 apps) that did have privacy policies, only four specified that they would seek permission before sharing data with third parties.
The act of selling of data collected by the apps isn’t regulated. Health apps also are not subject to privacy and security regulations in the Health Insurance Portability and Accountability Act (HIPAA).
Nicolas Terry, Indiana University Maurer School of Law Professor and a health care technologies regulation expert, called for Federal regulatory agencies to step in and create patient-information protections for the apps. “The most disruptive mobile health apps are those that are patient-facing,” Terry explained, referring to apps where information is directly available to users. Such a direct app-patient relationship lacks any professional buffer between the user and the information, he said. As a result, traditional regulation of safety, quality, and confidentiality suffer.
“Patient privacy should be well addressed. The selling of this information should be more transparent,” said Diane Johnson, director of the Strategic Regulatory at Johnson & Johnson, a multinational medical products and services provider that offers a number of mHealth apps. Johnson and others stressed that for mHealth app users, it’s a case of buyer beware.
Here's one ray of hope: Data saved in individual devices may be safer than data saved to clouds, said Bettina Experton, president of Humetrix, a health app developer based in Del Mar, California. Users’ information is “highly secure in personal devices,” Experton said. “Your phone can store securely when it’s encrypted. It’s in your hands and under your control.”