Stepping up security efforts in mobile health and medical devices

Until recently, security issues in the mobile health space have remained fairly narrow in scope. Primary considerations have focused on potentially defective software and firmware, battery life or interference caused by electromagnetic signals. However, mobile health is evolving from a niche market to a more mainstream one, alongside the snowballing adoption of smart devices. This growth has popularized mobile health apps and boosted the development of consumer-oriented health sensors and peripherals for smart devices. Governments have started paying more attention to the security context of mobile health, both from a network and software perspective.

The US Government Accountability Office (GAO) just released a report on medical devices, encouraging the Federal Drug Administration (FDA) to expand information security considerations for certain types of medical devices. The report acknowledges the FDA’s past efforts in addressing risks from unintentional threats, but now stresses that the FDA must start to seriously consider intentional threats as well. The report highlights three key intentional threats to active implantable medical devices (such as pacemakers and insulin pumps): unauthorized access, malware and denial of service attacks. The report emphasizes that as technology evolves and devices become more complex, the risk potential is likely to increase. The GAO concludes by setting down some basic starting recommendations for the FDA, including actively investigating information security problems. The full report available here.

On the other side of the Atlantic, the European Commission Director General for Communications Networks, Content and Technology recently endorsed a European Directory of Health Apps. Produced in cooperation with the European Health Forum, the directory is a result of an extensive consumer and patient group survey of 200+ mobile health applications across 62 specialties and in 32 different European languages. Although not strictly focused on security aspects, the Directory certainly goes a long way in providing a resource for tested and authenticated apps. Sifting through the innumerable health apps on app stores and validating their reliability is not always evident for the individual end user. The Directory can provide a trust-worthy source of information on a number of health-related apps, paving the way to further efforts on authentication and validation in the mobile health space. The Directory can be accessed here.

These two separate efforts clearly show that mobile health is a maturing space, and therefore one that is likely to attract malfeasors. Considerations in terms of device/network security and app authentication are critical in the context of health, and there’s no doubt that there is significant potential for targeted security solutions in this area.