This site is part of the Informa Connect Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 3099067.

Clinical & Medical Affairs

The challenges with privacy and regulation in mobile health - and how to solve them

Posted by on 26 October 2017
Share this article

One of the largest problems relating to the privacy and regulation of mobile devices are those people marketing unapproved medical apps and wearables (low-risk devices) as medical devices.

The language within the sphere of mHealth is quite clear, a medical device is any device or linked mobile app which claims to diagnose, treat, prevent or monitor disease and injury under the supervision of a physician.  Thus, medical devices need to be approved by a federal body before they are used on consumers.  A wearable, health-based app or fitness tracker is known as a ‘low-risk device’ which is designed for use in the gym to specifically measure heart rate and other biometrics as opposed to, say, repetition or defects and does not need approval.

Therefore, low-risk devices claiming to monitor foetal heart rates, take blood pressure readings or perform full ECG’s are every physician’s worst nightmare, particularly when used to monitor biological functions over many hours, which is firmly in medical device territory.

Even the approved AliveCor ECG medical device which connects to a smartphone app only records, stores and transfers single-channel ECG rhythms to detect the presence of atrial fibrillation and normal sinus rhythm (when prescribed or used under the care of a physician). It should be noted that a full ECG is used to investigate symptoms of a possible heart problem, such as chest pain, suddenly noticeable palpitations, dizziness and shortness of breath and can help detect arrhythmias, coronary heart disease, heart attacks and cardiomyopathy.

So here is the starting point for innovation in regards to medical devices, low-risk devices and wearables -the sturdy ECG. The grand-ancestor of mHealth, namely ambulance-based ECGs, the ambulatory or ‘holster’ ECG, the handheld ECG, and the stress/exercise-based ECG.  These are all approved reliable tests designed to give detailed results over a long or short period of time, and they are all mobile-based. The only difference with these tests is that the algorithm is checked regularly for the use of mobility, particularly where the results are gained in high-speed ambulance-based situations.

A natural progression, therefore, would be for low-risk devices to evolve via standardisation of their algorithm used by mobile medical device vendors such as Bionet, GE Healthcare, Schiller or Midmark. The partnering of ambulatory medical device vendors with low-risk device manufacturers will act as a seal of approval, as well as improve the quality and range of device results, ultimately bringing down the price of more reliable low-risk devices (be aware that handheld ambulatory ECGs are currently only priced at between $150 and $300).  Due to the number of dangerous and unreliable low-risk devices claiming to monitor and detect medical conditions with no proof, widespread ambulatory partnering and algorithm standardisation should happen sooner rather than later.

The four stages of mHealth privacy

As to the privacy issues within mHealth, these can be avoided simply by spreading awareness.  Privacy within mHealth can be broken down into four stages:

  1. The initial collection of data and transfer of this data over the cloud, who can access this and who owns it?  How to protect yourself in the human cloud of wearable technology.
  2. All users must be able to view and access their own health data on both medical and low-risk devices, this is done via personal accounts on the user’s system.  How do we make sure these accounts are secure?
  3. Linking your medical or low-risk device to other devices or apps which may be unsecured.  Check the security of third-party devices or services.
  4. What third-party agreements does your medical or low-risk device manufacturer have in place?  Is your health data being used in a clinical trial?  Should data be classed as reliable when being collected from unapproved low-risk devices in the first place?

All addressable points. Firstly, read disclaimers; carefully go through your device’s privacy policy, are there third-parties collecting your data? How serious is your device manufacturer about your privacy? Look at the wording of their privacy policy. Are you anonymous in the human cloud, is your information encrypted? This should be a prerequisite until you access your data in your personal account. With medical devices, what cloud providers is your health provider using?  There is no excuse for large health-based corporations not to use well-known cloud providers such as Cisco, IBM or Microsoft.

With personal accounts linked to your medical or low-risk device activate the two-step authentication facility if available, and always use obscure, unique usernames and passwords.  Search your device on Google with the words hack, scam and/or fraud for published problems.  This also applies when linking your device to other services or devices which may be unsecured; be prepared not utilise all of your device’s applications if the third-party devices or websites it needs to link to are unsecure.

As to the ever-growing human cloud, this is a truly fascinating universe which needs its own article of exploration.

What makes a medical device?

This leaves the final problem, the real issue with mHealth regulation; those accounts pushing unapproved low-risk devices as medical devices.  Muddying the waters of device definition and regulation, and endangering consumers, it is these accounts which do the most damage.  The implication of medical-grade data, despite no regulatory oversight, is what is causing most of the confusion with regards to mHealth. If pharma marketed their drugs the way these unpoliced accounts market unapproved low-risk devices for medical applications, they would be fined heavily.

Therefore, the question is not what makes a medical device a medical device, rather, it is who makes a medical device a medical device.  Only the policing of these accounts making or implying unfounded claims will start to innovate mHealth, and it will be the laying down of these clear boundaries married with strong legal terminology which will begin another evolution of this currently ‘device-fluid’ industry.

ABOUT THE AUTHOR: Michelle Petersen is the founder of Healthinnovations and the Health Innovator community. She has worked in the health and science industry for over 21 years which includes time within the NHS and Oxford University. An avid campaigner in the fight against child sex abuse and trafficking, Michelle is a passionate humanist striving for a better quality of life for all humans by helping to provide traction for new technologies and techniques within the health sector. You can follow her on Twitter at @shelleypetersen.

Healthinnovations, founded in 2010, reports on future innovation in medical research and can be found on multiple platforms.  Healthinnovations is now an established part of the global reporting system on whitepaper validation and verification, a virtual research project highway involving the medical community worldwide. 

Share this article