I’m at the 2013 mHealth Summit and made a few observations about this growing industry and security. First some highlights from the conference, in the U.S. 5% of the population is chronically ill, 15% are ill and rest of the 80% are in reasonably good health. There were plenty of exhibitors and sessions around mobile health for fitness, Consumer Electronics Association researcher Mark Tillman shared study results showing a healthy 32% growth projected for fitness wearable devices. Those that are already doing the right thing by exercising are growing emotional connections with their devices and enhancing their activity getting addicted to the immediate tractable results against personal goals. Intel’s Dr. Eric Dishman was concerned that the focus on mhealth was becoming too device and app centric, that we are still far away from making a difference and called for skill shifting allowing for care networking, care anywhere and care customization through personalized medicine.
When I asked “How do you provide security” to many of the exhibitors there was an immediate and short reply “don’t worry, we’re HIPAA compliant” or worse “user password and PIN”. Many of these vendors aggregate local data into back-end cloud systems and/or integrate with complex healthcare ecosystems. Obviously I am not satisfied with these answers, they aren’t even reassuring. I would have liked a more thought out approach and friendlier one of “we understand that the privacy and security of our customers and their data is a priority and continually work to not only be compliant but actively look to evolve the security protections as needed to ensure customer and regulatory satisfaction”.
Connected care will change the future of healthcare. From Intel’s Healthcare Innovation Barometer study more than half of the respondents believe the traditional hospital will become obsolete in the future. Shortly the difference between Health IT and mhealth will be negligible as it becomes commonplace to share health metrics from the variety of medical devices and services coming to market augmenting the data for doctor’s to analyze and provide better clinical outcomes and quality care for patients. We are still far away from making a difference and need to continue to look at the context in which these technologies are being used and then provide the appropriate security and privacy controls.
Connected care will require trust and security by design to be successful. Till then here are some basic tips for your health and security wellness.
Consumers: It’s already an issue with the reports of account compromises to use the same password across all types of accounts. When you do get that fitness wearable, or engage with healthcare providers through digital means like portals, applications or devices ensure that you utilize unique and different passwords. McAfee’s LiveSafe can let you do this very easily and enables quick login without consulting your hand-written little book of passwords.
mhealth vendors: Please know that HIPAA compliance was created in a time when the security risks, threats and vulnerability landscape were very different and today it does not guarantee security. Let’s learn from the US Government Accountability Office report on Medical Devices. Consider how intentional threats could compromise the system or service. Have an on-going process of continually identifying risks and implement effective controls to mitigate for the lifespan of the device or services. Designing security into the device is necessary but if data is cloud-aggregated it too needs the same level of protection.