Privacy and security regulation for mHealth doesn’t stop at FDA

Health app developers are just starting to face regulations. While the FDA has passed their guidelines, more regulations from additional governing bodies are on the horizon, according to a group of Pepper Hamilton lawyers. 



Mark Kadzielski, Sharon Klein and Dayna Nicholson of Pepper Hamilton spoke about additional regulation for mobile app developers during a recent webinar, pointing specifically to the areas of privacy and security.


Klein, the chair of the privacy, security and data protection practice, points to the vulnerability of cyber security incidents.  With information being accessed through wireless and network connected devices, hacking and data breaches can happen.  With many agencies – the FDA, the FCC, the FTC, the Office for Civil Rights and the states attorneys general – looking to implement regulations, app developers and provider organizations may have issues trying to comply with the different policies.


 “The regulatory overlap is confusing and in some instances it’s duplicative,” Klein said as published by MobiHealthNews. “Congress has recognized this problem and passed the FDA Safety Act of 2012, which has mandated that HHS produce a report with a strategy and a recommendation, dealing with mobile health apps, which would balance innovation, patient safety, and avoid regulatory duplication. What we do know is there will be great enforcement in 2014 and the years to come in the mobile health area.”


Mobile developers are going to have to keep multiple regulations in mind that will be coming from different perspectives. One set of guidelines will look at patient safety while the other looks at data privacy.  To avoid being fined, regulations from multiple agencies will have to be kept straight. 


The National Institute of Standard and Technology (NIST) has also released guidelines they hope will be adopted by regulatory agencies. These regulations look to provide insight on the areas of privacy, encryption and data disposal. 


To help developers keep all of these guidelines in mind, Nicholson and Klein provided some great tips: implement standard operating procedures in case of an emergency and implement safety protocols. 


Have you created an mHealth app? What safeguards do you have in place?


Nine tips to building a safe and usable mHealth app

Security is one of the biggest concerns in the mHealth world due to the sensitivity of the information that they hold.  Developers are facing ever changing regulations from HIPPA and now from the FDA.  To help developers create an app to comply with the mHealth world, Government Health IT has provided nine tips for success.


  1. Don’t trust the user:  Did you know that half of users hate pin numbers and passwords, 33 percent don’t consider the risks and 55 percent use the same passwords across the board? While there are a ton of combinations available, patterns are very common among consumers. 
  2. Research to remain current:  There are lots of resources available.  The article directs developers to viaForensics and Jonathan Zdziarski as sources of great information.  Additionally, ensure mHealth apps are developed in the most up-to-date environment possible. 
  3. Use Jailbreak detection: By detecting opportunities for jailbreak in-house, you can prevent a hacker from cracking your app and placing it on a third-party store for download.  Prevent these reverse-engineering attempts. 
  4. Know what’s out there: There are tools out there that can be leveraged to prevent risk.  The iMAS library is one of those resources; it provides security tools that iOS developers can build upon.  Fiddleris and iGoat are other available options. 
  5. Enable strong passwords and authentications:  To keep passwords safe, force users to reset them if they are forgotten versus including a retrieval process.  Do not limit the length or the variety of characters for use. HTTPS is a safe way to develop login pages.
  6. Institute data encryption and transfer protocols: It is recommended that developers avoid storing data on the AES 256 encryption.  They should look to use SQLCipher and transfer information with HTTPS and SSL.  Nessus and NIST are other great resources. 
  7. Implement a bug bounty program and open disclosure policies: Developing a secure program doesn’t stop in the development; it must be continued on through the life of the app.  The Silicon Valley community has developed a white-hat community which has created security bounty programs focusing on certain aspects of security. 
  8. Be responsible: Appoint someone to be responsible for security, privacy and compliance throughout the development process. This person will serve as the one who will identify any weaknesses. 
  9. Serve as an example: mHealth apps are still a relatively untapped market in certain areas. Be an example to those around you by making security a number one priority.  Evaluate permissions and ensure your apps are only available in official app stores. Implement innovative security codes where the answers wouldn’t be available on a social media site. Develop best practices.


Digital health investments topped $1.97 billion in 2013

A new report from Rock Health found that digital health funding topped $1.97 billion in 2013, up 39 percent from the previous year.  Focusing on companies that raised more than $2 million, Rock Health found that funding for digital health will surpass medical device funding and has already passed traditional healthcare. 



Crowdfunding for digital health also took off in 2013, raising $9.2 million across 120 campaigns. The majority of this money was raised through Indiegogo. 


Rock Health identified six themes in their report in regards to funding: “electronic health records surrounding clinical workflow; data aggregation and analysis surrounding health use cases; digital medical devices used in clinical settings that focus on disease; consumer-oriented wearables and biosensing products; population health management; and healthcare consumer engagement, such as purchasing health insurance.”


Three hundred and two investment firms and 27 venture firms contributed to funding in 2013.  The majority of investments were in the state of California, followed by the Northeast portion of the United States. 


It doesn’t come as a surprise that investors are interested in the digital health realm.  The marketplace is moving forward as regulations fall into place. What advances to mHealth do you believe will come from this invested money?


BlackBerry reportedly looks to Android for app help

When you think of BlackBerry, chances are apps are not something that comes to your mind, but the smartphone maker is trying to remedy that.



CNET is reporting that BlackBerry’s 10.2.1 update to its operating system will enable the use of native Android apps.  According to the report, company officials have already begun approaching Android developers to upload their apps to BlackBerry World.


Do you still own a BlackBerry? Would you download more apps from BlackBerry World if you knew it was a widely downloaded app on the Android platform? Tweet us: @FountainheadMob


Beware of counterfeit apps

If you got a tablet or smartphone as a gift this holiday season, be on the lookout for counterfeit apps in the marketplace. 


According to a new report from software firm Arxan, cybercriminals are using third-party sites to develop counterfeit versions of the most popular apps in the Apple and Google stores. 


Arxan evaluated 230 apps, including the top 100 paid and top 15 free apps in each marketplace, finding that all of the top paid apps on Android and 56 percent on Apple’s platform, were replicated on third-party markets.  Of the free apps evaluated, 73 percent of Android apps and 53 percent running on iOS existed in a counterfeit form.  Popular financial apps have also been recreated. 



Fake apps are causing danger to the consumers using them.  Data breaches and IP theft aren’t the only concerns; tampering has become a top concern.  Through tampering, malware can be installed on your device which can breach all of your security protection. 


While there is danger, the chances of actually downloading a counterfeit app are small, especially in the United States where there is a small presence of third-party stores. iOS has safeguards which makes it hard to download from an outside store unless the device is jailbroken.  Apple monitors its app store and ejects any fake apps.  Google, however, has faced issues with combating knock-off apps.  


Despite these security measures, Arxan reported that counterfeit apps have been downloaded more than 500 thousand times, probably onto smartphones.  The organization is looking to developers to increase code protection to prevent the creation of pirated apps. 


Have you encountered a pirated app? Does your organization have security in place to prevent piracy?