Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

mHealth App-makers Must Develop Privacy, Security Standards

Posted on November 30, 2015 I Written By

The following is a guest blog post by Jon Michaeli, Executive Vice President of Medisafe

In recent times, consumers have developed a rapidly-growing interest in mobile health apps. In fact, more than half of the 1,600 mobile phone users surveyed recently by a New York University research team had downloaded at least one such app. And signs suggest that user uptake of mHealth apps could grow dramatically over the next few years.

But consumers’ adoption of mobile health apps is being held back by concerns that their health data isn’t safe.  Nearly half of consumers surveyed told Healthline that they’re afraid hackers may try to steal their personal health data from a wearable, and one-quarter of respondents said that they don’t believe app or health tracking data is secure.

We believe that it’s time for mHealth app developers and vendors to take a stand on mobile health data privacy and security. Consumers have the right to exchange private health data securely, and to be sure that data is never stolen or shared with unauthorized parties.

But until we develop industry-wide standards for protecting mobile health data, it’s unlikely that we’ll be able to do so. To make that happen, we welcome the creation of a broad industry coalition to create these standards.

Security fears justified

Concerns over the security and privacy of mHealth data are well-founded. Less than one-third of the 600 most commonly-used mHealth apps have privacy policies in place, according to recent research published in the Journal of the American Medical Informatics Association. Another study, by HIMSS, suggests that health IT leaders are just beginning to scope out their mobile health security strategies.

Worse, some practices engaged in by app developers pose a clear risk to users’ health data. For example, some health apps use a Social Security number as a “secure” user method of validating user identity. Unfortunately, Social Security numbers are often stolen during hacking exploits, and they’re fairly easy to buy online. Thieves have a powerful incentive to steal SSNs, as health data now sells for 10 times the prices of credit card numbers.

Once SSNs are obtained by the wrong party, the results can be catastrophic. If I obtain a user’s SSN and download their claims data, I might find out that they, for example, take meds used to treat psychiatric conditions or HIV. Malicious parties could conceivably use this information to blackmail someone, expose them at work or in the community, outflank them during a divorce or worse. There’s a reason that SSNs sell for 10 times the price of a stolen credit card number on the black market.

Not only that, even among those who post privacy policies, few app developers make it clear how they address privacy issues. Developers often fill their policy write-ups with jargon and deceptive language. And few consumers are informed enough to demand plain, straightforward disclosures in areas that may affect them. For example, they may not be aware that their privacy could be compromised if the app pulls data from outside sources without requiring an additional login and password.

Those opaque privacy policies may also conceal questionable data-sharing practices, such as the sale of personal data. If individually-identifiable data gets shared with the insurance industry, insurers might use this data to reject applications for coverage. Pharmaceutical companies could leverage this data to market meds to such consumers. Employers could even buy such data to screen out sick applicants. The possibilities for harm are great.

Time for mHealth security standards

Fortunately, mHealth vendors that want to boost security and privacy protections don’t have to start from scratch. Practices and standards already in place in healthcare IT departments provide a good foundation for mHealth app developers. Certainly, consumers need to play a role in protecting their own health information, by taking a responsible and smart approach to app use, but we have obligations too.

First, we should assume that any mHealth app must meet HIPAA standards for protecting patient health information (PHI). Requirements include making sure users are who they claim to be (authentication), seeing that PHI isn’t altered prior to reaching its destination, and assuring that data is encrypted at rest, in transit and when stored on independently-managed servers.

Also, if PHI is being exchanged, mHealth developers must be sure that any third-party apps integrated into our health app also meets HIPAA requirements. And we need to verify that compliance. If connected third parties are compromised, the app isn’t secure either.

But above all, our industry needs to establish privacy and security standards that meet the unique needs of mobile health environment, standards which evolve as mHealth changes. I believe it’s high time that the mobile health industry leaders collaborate and create these standards. Otherwise, we may fail in our ethical obligations and do lasting damage to consumer trust. We invite other mHealth app vendors and their partners to join us in collaborating to protect consumers.

Jon Michaeli is Executive Vice President of Medisafe (, a cloud-synched platform which helps consumers manage their medications.

How Complicated Is It to Simplify Medication Adherence?

Posted on November 17, 2015 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site ( and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

Of all the things that irrationally inflate health costs, one of the top concerns is people who just don’t take their prescribed medications. Medication adherence doesn’t sound like a high-tech issue, but a lot of interesting technology is being thrown at the problem.

One pharmacist (obviously harboring an interest in increasing orders) estimated that we’d save 290 billion dollars a year if everybody took the medications prescribed for them. But don’t dismiss their claim as self-serving–the Centers for Disease Control suggests they may be right. It also says that half of all medications are discontinued too early. As the “fee for value” movement starts extending to the performance of medications, concerns that patients actually follow through on prescriptions will increase.

At the recent Connected Health Conference I talked to several companies taking on the difficult adherence problem from different angles. Medisafe aids patients in self-monitoring, Insightfil creates convenient packaging that groups pills the ways patients take them, and Dose doles out medication at prescribed times.

Medisafe is one of a wave of firms that address medication adherence, representing an advance over jotting down daily practices in a paper journal. These services share a good deal in common with other solutions in the marketplace that carry out patient monitoring, care planning, and the patient-centered medical home. In all these areas, services boast of tracking behavior, providing feedback to both patients and clinicians, promoting communication, and similar aspects of the connected health vision.

Medisafe handles patients’ nonadherence in multiple ways, including importing the patient’s medication list, along with vital signs such as blood pressure. Visualizations help both the patient and the doctor see the relationship between taking medication and the relevant vital signs. Patients can manage their doctor office visits or when they have been assigned a change in medication, and monitor the effects of such events on adherence through Medisafe. Finally, doctors will be able to compare data on patients within their practices, grouping them by condition, by medication taken, by demographics, or by behavior traits.

Other medication solutions try to reduce the burden of compliance that falls on the patient–or to look at it in another way, reduce the patient’s discretion. At something of an extreme, Proteus inserts a tiny radio device into each pill and makes the patient wear a patch that can detect the presence of the pill in the body. People have suggested one or two use cases for this intrusive system (for instance, during a drug trial, to guarantee accuracy) but in general, treating patients like criminals doesn’t encourage healthy behavior.

A lot of people, especially the elderly and those with the most severe medical conditions, need so many pills and capsules that it’s hard to remember which ones to take, and when. I’ve seen relatives loading little pillboxes every Sunday morning with the pills for the upcoming week.

Insightfil hopes to take all the manual labor, and consequent chances for error, out of this process. It ships each person a customized blister pack with a week’s worth of medications, offering up to four compartments per day to cover different times. This may seem like a simple problem, but it’s actually a major logistical feat.

First, according to founder and CEO Ted Acworth, his company had to develop a robot that could recognize different pills and accurately load them into the blister packs. Then they had to find a pharmacy with nationwide reach and room in its warehouse for the robot.

Dose solves the problem a different way, through a dispenser into which a patient or caregiver can pour bottles of pills. The dispenser, which has been configured to know the patient’s medication regimen, can automatically separate the pills and release them at the right time.

Once the pills are in the box, control can be removed from the patient. This can be important for doling out opiates or other drugs that can be dangerous or that patients have a tendency to abuse.

Dose’s dispenser is a very smart machine, supporting some of other goals of connected health I mentioned. Clinicians, caregivers, and patients can get alerts about doses taken or missed. The device has bi-directional programming capabilities with a web portal and mobile app, and clinicians can change regimens over the Internet. Biometric devices can be attached to let users map medication adherence to vital signs, or to report a user’s exercise and eating habits. The device’s forward facing camera can be used for scanning the barcode of a pill bottle, as well as for video consultations with a clinician. Along with these features, the device is integrated with an FDA Drug Database and therefore an accurate drug list, along with information about potential drug interactions is readily available.

On many levels, then, advanced technology can help patients with the apparently simple problem of opening a bottle at the right time and popping a pill in their mouths. This article has been a limited look at the problem–I haven’t dealt with over-prescription or side effects, but just the question of how to get patients to take the drugs that are understood to improve their health. We’ll see over time which of these solutions–perhaps all of them at different times–can help of hundreds of millions who regularly take prescription drugs.