Clinical software on personal mobile devices needs regulation
Dr Juanita Fernando
A health academic has urged the Australian government to allow physicians to take advantage of medical applications on smart phones and tablets by closing gaps in laws governing their use.
Writing in the Medical Journal of Australia, Dr Juanita Fernando of Monash University’s Mobile Health Research Group, argued the lack of legal certainty around the use of clinical software on personal mobile devices (PMDs) exposed health professionals to risk.
Clinical software on personal mobile devices needs regulation
by Juanita Fernando
Emerging evidence shows breaches of private m-health information occur across a range of clinical professions. For example, the BBC-News of the World phone hacking scandal in 2006-07 saw a myriad of health information across the globe compromised; in at least one case, the UK High Court awarded an affected litigant £600,000. M-health breaches are not limited to hacking though. Other threats, often inadvertent, manifest as medical photography or film files stored on a personal mobile device (PMD), images and text posted on social media web sites or loss of a mobile device storing patient data.. The impact of these events sometimes creates scandals that trigger community doubt about m-health, damaging an ostensibly useful e-health practice tool. Clinicians and their patients must be able to protect themselves against snooping, whether deliberate or inadvertent.
A recent WHO (World Health Organisation) survey showed that m-health applications can assist clinicians in a variety of ways, including the facilitation of access to health support services even when the patient is located in geographically distant or remote areas with a lack of infrastructure. Other plausible benefits of m-health include SMS alerts and monitoring systems, recruitment for clinical trials and other research, store and forward patient care data and mobile access to evidence-based practice tools. M-health is an important adjunct to patient diagnosis and management processes.
M-health tools are not simply pervasive across contemporary clinical care, many graduating clinicians also plan to use them for practice. Yet many researchers and clinicians claim the tools are not subject to scrutiny or assessment in the same way as other areas of health practice. Rigorous evaluation of mobile applications for diagnosis or access to evidence based practice remains scarce as very few high quality studies are published in this domain and a legislative vacuum seems to exist in Australia. However the TGA (Therapeutic Goods Administration) is reported to have claimed medical device software for therapeutic purposes is already regulated in Australia, and smartphone applications fall within this framework. While I am unable to locate any publically available evidence in support of the claim, clearly there is consensus about the need for regulatory support of therapeutic m-health applications.
Despite the TGA claim, personal accounts from clinicians indicate that local information system managers do not permit mobile devices, especially PMDs, to be connected to a hospital network, which is at least partly due to their inability to control the m-health devices fostering potential exposure to medico-legal claims of privacy breach. Medical indemnity insurers and AusCERT (Australian Computer Emergency Response Team) have also warned clinicians about participation in m-health systems for similar reasons. The AMA (Australian Medical Association), as with other professional organisations, has published a guide to support clinical confidence about professional behaviours in m-health. Professional medico-legal and advisory services frequently direct concerned physicians to RACGP (Royal Australian College of General Practitioners) and other guidelines on privacy and security standards. Belief that m-health initiatives are just technology projects demonstrates a limited conceptual understanding of the matter.
Many mobile devices already offer basic and easily used password software applications to protect the privacy of stored information. Basic password protection on mobile devices is a security related issue underpinning privacy. Mobile device passwords are vital because over time, the devices tend to accrue sensitive information through access to wireless services and organisational intranets. They can be mislaid, lost or stolen, thereby exposing data to unauthorised people. Yet basic password protections are often unused by clinicians so information stored on a mobile device is available to anyone who possess it. The lack of clinicians with a conceptual understanding of m-health security and privacy tools exacerbates medico-legal threats risking further scandals and limitations to the potential benefits m-health tools offer for patient care.
Regulation and guidelines about privacy-enhanced use of PMDs and other mobile devices in the health workplace can usefully mirror those applied to the business sector. A recent submission by the Medical Technology Association of Australia recommends the regulation of medical applications on PMDs and other mobile devices that are intended by the developer to cure, treat, monitor or diagnose a medical condition. Both the business and health sectors can come together to address medico-legal and privacy concerns that currently limit physician and patient confidence in mobile devices globally.
Preliminary analysis of the evidence suggests that clinicians generally overlook or are unaware of unaware of support resources provided by professional associations and other organisations. For instance, a medical application evaluation site on the Internet offers peer review of many applications for clinicians. Emerging peer reviewed publications also offer practical support for clinicians. Other work is taking place to enable configurations that disassociate personal data from work data. However this mosaic of resources is scattered and not easily located by time-poor clinicians. A unified list of these resources, supported by hypertext links, could be a useful way to begin protecting clinicians and their patients from the consequences of m-health privacy breach.
Evidence shows breaches of private m-health information regularly occur across a range of devices. The pace of snooping scandals reported in the mass media and through health regulatory boards has increased as m-health tools become entrenched in everyday practice. Various health privacy scandals trigger considerable doubt about the ability of clinicians to self-regulate the use of m-health tools in a way that protects themselves or the public. The impact of these scandals is likely to dampen community confidence in the application of digitised clinical records and so hampering enrolments in the local PCEHR for patient care. Mobile device information systems, standards and regulatory processes, supported by full legislative backing, are urgently required to ensure snoops cannot threaten the application of these devices in support of patient care.
Dr Juanita Fernando is the Academic Convener with the Faculty of Medicine, Nursing and Health Sciences at Monash University.