The FBI's demand for Apple to build a custom operating system and push it on to the work iPhone of the San Bernadino terrorists has been in the news not just locally but internationally. There are some serious implications here for Medical Devices, particularly mHealth and other "connected" devices.
It is important to understand that the issue is not just the FBI vs Apple – though this has direct implications on solutions like AliveCor's Heart Monitor For IPhone product. Depending on the government's broader agenda, this might have implications for all HIPAA based software implementations.
On the surface the FBI is simply demanding that Apple provide them with a custom OS that can be "force pushed" onto the iPhone, that in turn disables the "autowipe" feature that erases the contents of the phone after 10 incorrect tries. Apple could potentially do this via the same mechanism that allows them to force an update to the OS. However this still would require that Apple build a custom version of the OS and to set up a specialized secure lab within which this update could be forced. This has both policy and technical implications.
The policy implications could be much more significant for the mHealth, Medical Device, TeleMedicine, and HealthIT industries. The FBI and other Government Agencies may be working on a broader legislative strategy – even perhaps hoping to lose in court against Apple, as it already has in NY Federal District Court. This strategy would be "lose in court" and then in this election year go to Congress and ask for an updated Communications Assistance for Law Enforcement Act (CALEA) that requires ALL US corporations engaging in data and communications encryption to provide the FBI (or some other government agency) with a set of "golden keys"/backdoors with which to unlock the encryption.
Much has been written about why "backdoors" for encryption are technically a bad idea. For the mHealth, Medical Device, Telemedicine and HealthIT industries this is doubly a bad idea. First of all, the security implications of such "backdoors" make the systems inherently more vulnerable to "bad actors" – thus adding costs to securing such systems. But there is a second and tertiary aspect of this.
mHealth solutions that monitor a patients heart, are life critical and rely on data being secured by encryption, as we discussed in an earlier blog about Authentication vs. Repudiation . mHealth app developers will suddenly not be able to rely on their platforms to provide security. Even an "authorized"/legal intrusion into the data could potentially disrupt/alter the data in ways that have adverse effects on the patient due to inadvertent modifications of the data. Thus innovators would have to implement data backup and redundancy protocols that have adverse cost, performance and complexity affects.
Similarly it is unclear what the implications are on HIPAA data privacy requirements for "Protected Health Information" (PIH) that this might have. While under HIPAA a "Covered Entity" (someone holdingPIH data) is required to cooperate with Law Enforcement, a "backdoor key" would allow government users to access this information without warrants and without evidence of intrusion. Does this create a HIPAA violation for Covered Entities? Arguably yes. And that in turn would require that additional auditing and intrusion monitoring procedures get added. This potentially hits Telemedicine the hardest.
All of this drives up costs of innovation, operation, and development and stifles the sort of innovation.
The mHealth, Medical Device, Telemedicine and HealthIT industries need to look hard at this and be prepared for the potential impacts of this fight between Apple and the FBI.
By Karl Schulmeisters, CTO