Actual Cases

A Deep Dive Into the Privacy and Security Risks for Health, Wellness and Medical Apps

The Food and Drug Administration (FDA), on February 9, issued “Mobile Medical Applications: Guidance for Food and Drug Administration Staff,” in which it solidified its decision not to actively regulate health and wellness apps—as well as a host of medical-related apps. Companies breathed a collective sigh of relief, and there have even been pronouncements, by various commentators, that the area is now “deregulated.” As it turns out, this is completely untrue and has lulled many into a false sense that no regulator is watching. Nothing could be further from the truth.

A Deep Dive Into the Privacy and Security Risks for Health, Wellness and Medical Apps

Enter the Federal Trade Commission (FTC).

The FTC has formidable technical expertise, a stable of enforcement attorneys and an avowed focus on the health and wellness segment. Unfortunately, however, device and pharmaceutical companies are accustomed to a regulatory focus on product safety—the FDA’s focus—and not on unfair and deceptive practices from the standpoint of online privacy and security (the FTC’s primary focus on health, wellness and medical-related apps).

Indeed, the blind spot for online privacy issues can be seen with the Department of Health and Human Services (HHS) itself, which has had to quickly patch privacy and security issues on sensitive apps like its own “HIV Services” app on iOS and Android. The HHS blind spot, however, is precisely the FTC’s focal point. Had the HIV Services app, and corresponding web portal, been a private app, it seems likely that it would have been a prime candidate for a 20-year consent decree.

The risk with health and wellness apps is that companies will not realize the large amount of data that their apps collect and share with third parties, such as advertising entities, analytics companies, social networks and hosted solutions. The FTC has been inclined to bring down the enforcement hammer on apps like the Android flashlight app, which shared a persistent device ID and geolocation with a third-party advertiser.

Switch over to a health-related app, and imagine that the app transmitted data allowing third parties to fairly infer that the end-user was pregnant, taking chemotherapy medication, being treated for AIDS, recovering from alcoholism or the like. Does anyone really believe the FTC will turn a blind eye to THAT? Presumably the plaintiffs’ class-action bar is watching as well.

What can be done to reduce these risks?

The best way to reduce these risks is through education, awareness and risk-mitigation strategies that address information sharing and collection at the technical level.

Health-related apps that aren’t regulated by the FDA and aren’t covered by HIPAA, which means the vast majority of such apps can present the perfect storm of privacy exposure—apps that collect highly sensitive data and that use third parties that are not sensitized to the appropriate handling of such data.

Read the full article from here