Opening the Discussion of Data Privacy in mHealth
During New America’s Mobile Disconnect talk on February 9th, Katrin Verclas, Co-Founder and Editor of MobileActive.org, brought up an interesting question about data privacy in mhealth – what is being done to protect patient data in mhealth projects in developing countries?
“If you are gathering sensitive health data over completely clear text and insecure SMS, somebody’s HIV status, sensitive information protected by HIPAA standards in this country, completely unregulated by development organizations, they don’t self-regulate. Countries certainly don’t have any privacy or data protection stipulations…If we are talking about mobile telephony and mobile phones in development, we need to talk about how we protect the data that we are gathering, the information that we are distributing…”
Data privacy is an important, yet undiscussed topic. As Katrin mentioned, an individual’s health information is extremely personal, especially because it can be used against the person to make them a social outcast. But there is little talked about how patient information is being protected, especially the structure and framework of data protection on a large scale. As mentioned in the white paper “Barrier and Gaps Affecting mHealth in Low and Middle Income Countries” by the Earth Institute at Columbia University, many mhealth studies expressed the need for data protection and some measures were taken. But further security steps need to be taken as projects scale into national programs.
First, security is a tough question to answer in any setting. In the U.S., there are strict laws that require health information to be protected (HIPAA). Corporations holding patient health information must internally regulate how this information is being stored and transmitted in order to avoid penalties (both monetary and brand loss) if data is lost or there is a security breach. Along with setting user policies to further protect this sensitive data, corporations also leverage security software to protect against internal and external data lost. This includes protection against network attacks or unprotected lost/stolen devices. In these cases, the companies not only spend money on security measures but also employ a team solely focused on security. Chief Information Security Officer is vastly becoming an important and necessary role with large enterprises.
But the reason for all these security measures is the value individuals and families put on the privacy of their health information. Similarly to people protecting information about their finances, people want to keep their personal and family health information private. With the stigma of specific diseases or the unknown of the future as testing, diagnosis, and treatment is occurring, individuals and families want to have the power to inform others when they are ready. Do individuals and families in other countries place the same value on their health information? My guess is very much so.
But, as Katrin mentioned, many of the countries using mobile phones for data transmission do not have strict data privacy laws to regulate how patient data is protected. This leads to a lack for incentive for development organizations to create their own data protection policies which includes user policies and technology solutions to protect the storage and transmission of patient information. The GSMA recently began a movement to support data privacy on mobile devices. This includes providing principles, guidelines and resources in order to tackle the new challenges of data protection on global mobile networks. The International Telecommunication Union (ITU) and infoDev have created the ICT Regulation Toolkit to provide insight and best practices for policy-makers, government regulators and the telecommunication sector to implement telecom policies. There is a section directly focused on Data Protection and Privacy Laws. While these are steps forward, they are more generally focused on the over telecom industry. There needs to be a greater focus on the mhealth sector as it continues to grow.
Some organizations have included data privacy in mhealth projects. eMOCHA, developed by Johns Hopkins Center for Clinical Global Health Education, is a program for Android smartphones that stores and transmits data. Included in the program is security on both the endpoint device (the smartphone) and the servers. The servers that store the data are encrypted to protect against internal leaks. The smartphones also utilized encryption to send messages. They also are password protected in order to prevent data access if the phone is lost or stolen. Dimagi has also used technology to protect both internal and external leaks. This includes individual logon passwords and full data encryption on handsets and full server database encryption and auditing of who has logged into the database. It would be great to hear from other mhealth developers to see what they are doing to protect data. As is the case with the open dialogue of discussing best practices implementing and scaling programs in the mhealth community, it would be beneficial to the sector to share advice on data privacy.
MobileActive has been focusing on data security lately with the release of their SaferMobile website. It has helped to open the discussion and provides knowledge and advice to activists, human rights defenders and journalists to better protect their mobile privacy in their jobs. Those in the mhealth community should piggyback on their work. The discussion of data protection has been brought up before, but it is time to have it on the forefront of developers and implementers minds working on mhealth projects in developing countries. The goal is to understand all issues of data privacy (from the regulatory, technological and social aspects) and how we can make sure to always be aware of the patient’s right to privacy. It will be interesting area to continue to follow, and I hope this at least opens the door to a more in depth discussion on the topic.