I want a "Red Teaming"
Michael Schneider
There is no doubt that your health is the most important asset you have, outweighing all others. And its importance, driven by social demands for people to work into old age, is likely to increase in the future. Now, thanks to innovations in digital technology and the integration of this technology with medicine, more and more opportunities are available to maintain and improve health. Mobile devices (such as smartphones and wearables) and the internet are giving us the ability to diagnose ourselves; one day we may even be able to prescribe an appropriate treatment for ourselves.
We can already measure and check our vital signs in real-time using mobile devices and mobile health applications. Futurists see in this development the potential to improve the efficiency and quality of healthcare in the future.
This development has arisen because the manner in which we interact with digital devices – especially mobile devices – over the past couple of decades has been characterized by an increasing level of intimacy.
In his book How to Thrive in the Digital Age, philosopher Tom Chatfield describes this development as follows:
We are, I believe, steadily moving from merely personal computing toward what might be called intimate computing, representing a whole new level of integration between digital technologies and life. In coffee shops and living rooms, personal digital devices are handled with a solicitude and frequency that might once have been reserved for a partner or a favorite pet. For a generation of digital natives, a mobile phone is often the first thing they touch when they wake up in the morning and the last thing they touch when they go to bed at night.
His conclusion:
If we want to live with technology in the best way, we have to recognize that it is not the devices we use that is important, but rather their specific use.
So it is no wonder that these amazing, multifunctional digital devices, which have become an essential part of the lives of billions of people in just a few decades, can, thanks to their ubiquity, also be used for a wide variety of medical purposes.
But, of course, these new uses also give rise to complex questions. For example, how can sensitive health data that is recorded and transmitted via mobile devices and applications be adequately protected? How can we protect mHealth devices and applications from manipulation (hacked) and, in the worst case, prevent them from endangering the lives of patients through unsafe mobile health solutions?
And how do we handle the growing volume of data to prevent data protection from erosion? In addition, too much information can also be harmful or may to lead to disinformation and confusion, with the result that the most important aspects of the information are lost. And the challenge posed by the difficulty of verifying the general truth of data transmitted over the internet is one also faced by health-related information.
These are the key points and issues that we face in connection with the security of digital innovation in healthcare (eHealth and mHealth).
Mobile health (mHealth) is now a clear development and sub-area of eHealth (electronic health), involving the medical support of private and public healthcare through the use of mobile digital devices and applications. These devices and applications are used in connection with prevention, diagnostics, treatment (therapy), monitoring (examinations) and generally for medical intervention and healthcare, as well as for sports, lifestyle and wellness-related functions.
mHealth essentially combines medical and technical progress in one term. The result – it is hoped – is that the methods for medical prevention, diagnosis, treatment, etc, will expand, so that new ways of patient care can be developed.
Optimists see in mHealth the potential to reach two diametrically opposing objectives of the healthcare system at the same time: (1) prompt, more efficient and high quality treatment of patients, while (2) simultaneously conserving resources.
Obviously, the prefix mobile conveys a key aspect of mHealth. But it does not refer to the mobility of patients, users or medical personnel, but rather the mobility within an application itself. That is, the quality of being mobile is the result of the interaction with a key mobile application component. This means that not every part of an mHealth process is necessarily mobile, and conversely not every mobile component with a medical context should be classed as an mHealth solution per se.
The definition of mHealth established by the World Health Organization (WHO) in 2011 and used by the European Union (EU) is as follows (source):
The term mobile health (mHealth) refers to medical procedures and private and public health services supported by mobile devices, such as mobile phones, patient monitoring devices, personal digital assistants (PDAs), and other wireless devices.
It is clear from the WHO definition that no strict distinction exists between professional mobile healthcare applications/procedures and those that are part of the lifestyle, wellness and fitness segment: quantified self-movement or observations of daily living (ODL).
So it is obvious that mHealth can be used not only for important medical opportunities in health promotion and modern medical care, but also that the potential to make users and patients aware of their own responsibility for their personal health should be used, thus increasing their _health skills with the goal of general prevention, health maintenance and improvement, and increased quality of life.
The EU describes this in its Green Paper on mobile Health like this:
More empowered patients: mHealth solutions support the changing role of patients from a rather passive to a more participative role, while enhancing their responsibility for their own health.
The medical procedures offered via mobile digital devices include determining, measuring, recording and transmitting medical and physiological vital signs, environmental variables (such as air quality, GPS position, etc.) and all types of activity data via mobile digital devices, including, for example, heart rate, pulse, temperature, blood pressure, blood sugar level and brain activity. The data measurements are used in support of medical practices and patients, and enable doctors, therapists, specialists and other staff involved to provide more efficient and prompt medical care. One particular advantage of this process is that mobile medical care can be provided and used anywhere and at any time (i.e. asynchronously).
Some key features of this process can already be distinguished:
It should be clear that the use of mHealth, in particular for other than lifestyle or fitness purposes, requires a high level of security that must be recognized, discussed, communicated and agreed with all healthcare stakeholders and the general public and patients, particularly in respect to data protection.
One of the biggest risks is a focus on the fantastic opportunities and a failure to register the roadblocks and hurdles – i.e. legal, medical, technical, socio-economic, cultural and ethical – of mHealth technology as a whole. The mere fact that the use of mHealth apps leaves irreversible digital tracks poses legal, technical and ethical questions related to privacy, data protection and information security. In answering these questions, we are lagging behind the technical reality.
It is also a highly political issue and culminates in how important privacy should be for us in connection with eHealth and mHealth, and what rights we retain over our health data if we freely communicate vast amounts of information via the internet and save it in the cloud. However, it should be clear to everyone that even in the digital sphere, we as private citizens or patients are entitled to full control and authority, and the right to decide how our data is used. This principle needs to be categorically safeguarded and guaranteed.
In his pessimistic book Im Schwarm (In the Hive, 2013), philosopher Byung-Chul Han discusses the problems that such technologies might pose in relation to mHealth under the heading Total Recording of Life:
Thus, it is possible to provide an IP address for every individual object in our day-to-day life. For example, RFID (radio frequency ID) chips make objects themselves active transmitters and agents of communication that automatically send information and communicate with one another. This Internet of Things is the final stage in the evolution of the control society. The objects that surround us are now observing us. As a result, we are now being monitored by daily objects as well. They continuously send information about everything we do. They are an active component of the total recording of our lives.
mHealth app developers and manufacturers have a duty as well. According to a much quoted article published in the Financial Times, in 2013 50% of health apps transmitted data to global companies with a dominant market position. According to the EU’s mHealth fact sheet, there were some 100,000 mHealth apps in 2014 (sources: EU, Financial Times).
So the question is where and how to draw the line between lifestyle/fitness and real mHealth services and health apps. If the line between medical treatment and lifestyle self-optimization is blurred, users will not be able to decide when they can use an app as a medical product and when they should not. This lack of clarity also undermines the necessary trust in serious, strictly medical mHealth applications. But if users do not trust the solutions offered by an mHealth health app, it is doomed to failure.
In the lifestyle/fitness area, information security and data reliability requirements may still be flexible – the rules here can occasionally be bent. But when an app is used for medical purposes, it should be clear to everyone involved – and in particular to the developers – that much stricter requirements are required when sensitive patient data is involved. So the question is under what conditions is an mHealth app a medical product? Because if it is, it has to be treated seriously.
Looked at from the perspective of mHealth, the term medical product, as used until now, takes on new unconsidered meanings, dimensions and connotations that are not yet sufficiently addressed in current legislation and regulations. In Switzerland, these are:
In the US, for example, the US Food and Drug Administration (FDA) has issued guidelines in the form of Mobile Medical Guidance Documents in order to provide criteria for a clear distinction between medical products and lifestyle applications. These guidelines serve as an aid in the approval process for health apps and define the minimum requirements and criteria that an mHealth app must meet for use as a medical product.
They are also intended to prevent the commonplace practice whereby developers of cheap or free mHealth apps (usually in the fitness and wellness area) earn money through the sale or analysis of data in order to generate targeted advertising. In most cases, users are unaware that their data is being shared.
The technological momentum behind mHealth is strong, and its supporters are fervent and committed. However, the pace of large-scale introductions of digital innovations in healthcare is often slow and gradual (see, for example, the introduction of electronic patient records). The main friction arises in areas where the costs and benefits of solutions and the presumed structural changes to the various healthcare areas and stakeholders are not sufficiently explained. Here, too, in addition to provision of a purely technical solution, healthcare structures and processes that are not yet integrated must be coordinated and built up. The main focus in the mHealth area is a comprehensive optimization of processes.
Obviously, effective data protection and adequate information security must form the clear foundation of mHealth applications. Data protection can be effective only if it uses technology to protect mHealth data processing procedures created through digitization to ensure that the technology remains within the legal framework. This requires not only innovations in mHealth solutions per se, but also technical innovations in information security (privacy by design, privacy by default).
The gradually increasing transfer of sensitive health data as a result of mHealth also entails the risk that in a worst-case scenario, patient rights to informational self-determination might be infringed. For this reason, the legal conditions and requirements for information security and technology through the entire data life cycle, from collection and processing through storage and deletion, must be taken into careful consideration in the development of complex eHealth and mHealth procedures. The legal principles of data protection and the right to informational self-determination must be safeguarded, regardless of the manner and by which mHealth solution the data is processed.
The challenges and numerous aspects of patient safety when handling such mHealth-related mobile devices and applications are barely addressed in this article. It constitutes a separate major area and its growing importance should be discussed on the basis of the safety of medical devices in general as soon as possible.
Another risk beyond data protection and information security should also be mentioned here: As a result of the increased focus of mHealth on technological innovations and their penetration of medical procedures, the risk and latent fear of the dehumanization of medicine is creeping in and growing – and at a time when many people feel overburdened. Communication between physicians and patients will surely change as a result of this trend. For example, it is possible to think of the traditional visit to the doctor partly replaced (in a remote analogy to the banking sector, where the customer goes into their branch only for special needs and otherwise takes care of their business online) with a round-the-clock exchange of information via mobile apps, SMS, text, photos, etc, with the risk that physicians could be inundated with digital communications.
The EU Green Book on mobile Health stipulates the following:
In this respect, mHealth is not intended to replace healthcare professionals, who remain central in the provision of healthcare, but rather is seen as a supporting tool for the management and delivery of of healthcare services.
And also:
mHealth has the potential to play a key role in transforming our lives for the better. Yet it is imperative to ensure that the technology is safe and secure for use by us all.
Tom Chatfield: How to Thrive in the Digital Age. 2012 Kailash Verlag – Random House Publishers – Bertelsmann ISBN 978-3-641-08841-5
Byung-Chul Han: Im Schwarm. 2013 MSB Matthes & Seitz Berlin ISBN 978-3-88221-037-8
Our experts will get in contact with you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!