Disclaimer: This article is not legal advice. Consult your attorney for any legal questions you may have.
We are in an exciting time of burgeoning technological advances in medical wearable devices for diabetes. Although it is well known that health care providers have duties to keep patient health information confidential, it may be unclear how providers can meet their obligations to patients in an age of booming technological advances and cybersecurity risks, particularly with health care wearable devices (wearables) and mobile health (mHealth). Providers can fulfill their duty to keep patient health information confidential by taking reasonable measures to prevent data breaches that may result in patient data being compromised. By acting reasonably to prevent a data breach or prevent patient data from being accessed without permission, providers can also avoid liability to the patients to whom they owe legal duties.
What is reasonable depends on the circumstances. With mHealth applications and wearables becoming more prevalent, especially in diabetes management, the privacy and security risks to patient data have been amplified.1 Acting reasonably to prevent a data breach takes a concerted effort by the provider. There is no such thing as perfect security and even the most heavily guarded information can be compromised given the right amount of effort by malfeasors. Providers, however, should take reasonable measures to protect the information by conducting risk assessments and implementing the appropriate technical, administrative, and physical safeguards.
In the hospital setting, medical devices have become the key points of vulnerability within health care networks and have been subject to attacks.2 Medical devices including X-ray equipment, picture archive and communications systems, and blood gas analyzers have been the subject of cybersecurity attacks.2 These attacks threaten overall hospital operations and the security of patient data.2 Similarly, patients using mHealth and wearables may be vulnerable to cybersecurity attacks.
Technology is expanding exponentially in the health care sector, particularly in the diabetes market. Wearables, such as insulin pumps, continuous blood glucose monitors, and blood-pressure cuffs, which connect to mobile apps could let people record, track, and monitor their own vital signs without having to go to a doctor’s office. The devices themselves may be subject to cybersecurity attacks.3 The need for remote monitoring of patients’ blood glucose levels and HbA1c is heightened given the expected increase in patients with diabetes, coupled with a potential shortage of diabetologists. The field of mHealth is ripe for growth; however, providers must be mindful of the security risks in order to take reasonable steps to meet their duties to their patients.
The data captured by health care wearables typically flow across short, unlicensed wireless links to a monitoring hub in the patient’s home, which then passes the information to the broadband network and routes it to the cloud where analytics continuously monitor a patient’s status and notify a health care provider in the case of anomalies.4 This process provides several points where the data can be captured. A recent study showed that the most common type of sensitive data found in the cloud is confidential data comprising 47.0% of cloud data loss incidents. Next, personally identifiable information comprises 28.1% of incidents, followed by payment data (13.6%) and protected health data (11.3%).5 The savvy diabetes provider will be aware of their ethical and legal duties to keep personal health information confidential and of the implications that “connected” and mobile technologies have in regards to their duties, and they will take reasonable steps to prevent data breaches.
|Fast Facts on mHealth and Security|