ecently FTC chairwoman Edith Ramirez 'warn[ed] how IoT device data can secretly be used against you', and stated that this conversation has been a "topic for the last few years at security conferences". Though conference conversations have recently discussed in the more public setting the severe hacking consequences from smart technology, there are many, including myself, who have working on these topics for decades.
FTC's chairwoman's warning could be seen in the light of George Orwell classic 1984, both of which lay out a time where surveillance and public manipulation are conducted by society's most powerful. And both are presented with a warning message that is driven from a place of fear.
But, mHealth apps are supposed to engage and empower patients, and help close the "Health Learning loop" between advancements in science, clinical practice and patients' action. Therefore I think we need to take the privacy and security beyond the FTC recommendations, to empower users and patients and accelerate advancements in science.
Yes data needs to be encrypted, the default settings needs to include password resetting, product testing is necessary, and organizations hosting the data need Risk Management Processes, yet just those actions are insufficient to build a safe ecosystem or to empower users.
The challenge with Health Information Technology (HIT) specifically has been the focus on levels that do not address the root of the problems, which exists on numerous levels, to include: networking, infrastructure, messaging, data, and user interface.
HIT to date, to include ONC Draft Roadmap, continue to focus on just encryption (aka messaging), the desire for a "closed loops" such as the ATM networks with a coordinated top down Governance, data from a clinical semantic interoperability with access via authenticated APIs, and user interface (the defaults). Though focus on these areas is needed, the lack of a systematic and holistic approach, including the health economics that comes from the intersection of the clinical and administrative, will fall short. Not only will it fail to secure the health information, but it will also fail to bend the desperately needed cost curve.
Ramirez is correct to question "sensitive consumer data at risk on the off chance a company might someday discover a valuable use for the information". Yet the answer is in the combination of the parts, rather than using fear as the factor to prevent the advancement of science. Though collecting data from the public to monitor and then deduce future is a risk, if the risk management is approached holistically, it can advance and protect.
Networking: To assume ATM networks and the internet function to be stagnant to "how it works today", with packet transmission, is short sighted and misses leveraging algorithm network coding for a more secure Internet. For example, using Code On Technologies, which is a more distributed platform for sending and storage of data though the Internet, is the more secure Internet of the future.
Infrastructure: Historically health data has resided in infrastructures which required physical security for the paper files. The internet expands this to include the origin of the data, transport of the data to storage of the data. What the encryption and HIPAA fail to address is patients' and users' understanding of where the data is, who has access to it, and for what sort of uses. Creating a "closed loop" ecosystem, that is encryption based will not fix the problem and will continue to keep users and patients in the dark. Just as Laboratory results require a trail to document all of the locations from the original order to the resulting lab address, so too users and patients will only be able to make educated opt-in and opt-out decisions when the location of their data storage is made transparent, such as USPS tracking, or Visual Trace Route tools. It is the transparency and the tracking that will enable higher security and empower users to decide what to make private.
Data: Beyond semantic interoperability and authentication, there are tools on the market that can enable organizations and users to manage their data security better than the solution of a "closed loop" paradigm. Tagging data with digital watermarks can have benefits to both security and quality. Once data enters an integrated system, it becomes impossible to tease out from the other data sources. An integrated system assumes and relies on the data sources to be of quality. Tagging data can accelerate data clean up, when a poor quality data source is identified. Data tagging tools and service such as Verite Group can also be used to flag when important data is being accessed and attempting to be removed from an infrastructure. These are already used by organizations to enable security without building ATM network-like infrastructure, and has the potential to expand into inbound data from mHealth into EHRs.
Innovators have created some of these tools already today. These are only a select few that are available, and increase security, to allow for the benefits of a more 'open network', while increasing the bar of privacy and security. If we raise attention to the solutions, rather than just raise fear and attempt to constrain with old fashion thinking of ATM networks and 'closed loop' of the privileged, then we can learn from George Orwell that what it takes to empower is not to create a top down Governance.
Besides, the data is already out there, and the fears are too late and too restrictive - when the horse is out of the barn, it is too late to advocate for the doors to be closed.
Find other technical and business Helpful Hints and Best Practices in ClearRoadmap™ mHealth Pathways.
-- Vizma Carver, Founder and CEO, Carver Global Health Group