Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

AMA’s Digital Health ‘Snake Oil’ Claim Creates Needless Conflict

Posted on June 22, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Earlier this month, the head of the American Medical Association issued a challenge which should resonate for years to come. At this year’s annual meeting, Dr. James Madara argued that many direct-to-consumer digital health products, apps and even EMRs were “the digital snake oil of the early 21st century,” and that doctors will need to serve as gatekeepers to the industry.

His comments, which have been controversial, weren’t quite as immoderate as some critics have suggested. He argued that some digital health tools were “potentially magnificent,” and called on doctors to separate useful products from “so-called advancements that don’t have an appropriate evidence base, or that just don’t work that well – or that actually impede care, confuse patients, and waste our time.”

It certainly makes sense to sort the digital wheat from the chaff. After all, as of late last year there were more than 165,000 mobile health apps on the market, more than double that available in 2013, according to a study by IMS Institute for Healthcare Informatics. And despite the increasing proliferation of wearable health trackers, there is little research available to suggest that they offer concrete health benefits or promote sustainable behavior change.

That being said, the term “snake oil” has a loaded historical meaning, and we should hold Dr. Madara accountable for using it. According to Wikipedia, “snake oil” is an expression associated with products that offer questionable or unverifiable quality or benefits – which may or may not be fair. But let’s take things a bit further. In the same entry, Wikipedia defines a snake oil salesman “is someone who knowingly sells fraudulent goods or who is themselves a fraud, quack or charlatan.” And that’s a pretty harsh way to describe digital health entrepreneurs.

Ultimately, though, the issue isn’t whether Dr. Madara hurt someone’s feelings. What troubles me about his comments is they create conflict where none needs to exist.

Back in the 1850s, when what can charitably be called “entrepreneurs” were selling useless or toxic elixirs, many were doubtless aware that the products they sold had no benefit or might even harm consumers. And if what I’ve read about that era is true, I doubt they cared.

But today’s digital health entrepreneurs, in contrast, desperately want to get it right. These innovators – and digital health product line leaders within firms like Samsung and Apple – are very open to working with clinicians. In fact, most if not all work directly with both staff doctors and clinicians in community practice, and are always open to getting guidance on how to support the practice of medicine.

So while Dr. Madara’s comments aren’t precisely wrong, they suggest a fear and distrust of technology which doesn’t become any 21st century professional organization.

Think I’m wrong? Well, then why didn’t the AMA leader announce the formation of an investment fund to back the “potentially magnificent” advances he admits exist? If the AMA did that, it would demonstrate that even a 169-year-old organization can adapt and grow. But otherwise, his words suggest that the venerable trade group still holds disappointingly Luddite views better suited for the dustbin of history.

Vendors Bring Heart And Lung Sounds To EHR

Posted on June 3, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In what they say is a first, a group of technology vendors has teamed up to add heart and lung sounds to an EMR. The current effort extends only to the drchrono EHR, but if this rollout works, it seems likely that other vendors will follow, as adding multimedia content to patient medical records is a very logical step.

Urgent care provider Direct Urgent Care, a Berkeley, CA-based urgent care provider with 30,000 patients, is rolling out the Eko Core Digital Stethoscope for use by physicians. The heart and lung sounds will be recorded by the digital stethoscope, then transmitted wirelessly to a phone- or tablet-based mobile app. The app, in turn, uploads the audio files to the drchrono HR.

Ordinarily, I’d see this as an early experiment in managing multimedia health data and leave it at that. But two things make it more interesting.

One is that the Eko Core sells for a relatively modest $299, which is not bad for an FDA-cleared device. (Eko also sells an attachment for $199 which digitizes and records sounds captured by traditional analog stethoscopes, as well as streaming those files to the Eko app.) The other is that the recorded sounds can be shared with remote specialists such as cardiologists and pulmonologists, which seems valuable on its face even if the data doesn’t get stored within an EMR.

Not only that, this rollout underscores a problem just been given too little attention. At present, what I’ve seen, few EMRs incorporated anything beyond text. Even radiology images, which have been digital for ages (and managed by sophisticated PACS platforms) typically aren’t accessible to the EMR interface. In fact, my understanding is that PACS data is another silo that needs to be broken down.

Meanwhile, medical practices and hospitals are increasingly generating data that doesn’t fit into the existing EMR template, from sources such as wearables, health apps and video consults. Neither EMR developers nor standards organizations seem to have kept up with the influx of emerging non-text data, so virtually none of it is being integrated into patient records yet.

In other words, not only is it interesting to note that an EMR vendor is incorporating audio into medical records, at a modest cost, it’s worth taking stock of what it can teach us about enriching digital patient records overall.

Eventually, after all, patients will be able to capture — with some degree of accuracy — multimedia content that includes not only audio, but also ultrasound recordings, EKG charts and more. Of course, these self-administered tests and will never replace a consult by a skilled clinician, but there certainly are situations in which this data will be relevant.

When you also bear in mind that the number of telemedicine consults being conducted is growing dramatically, and that these, too, offer insights that could become part of a patient’s chart, the need to go beyond text-based EMRs becomes even more evident.

So maybe the Eko/drchrono partnership will work out, and maybe it won’t. But what they’re doing matters nonetheless.

What Data Do You Need in Order to Guide Behavioral Change?

Posted on June 2, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

This is an exciting time for the health care field, as its aspirations toward value-based payments and behavioral responses to chronic conditions converge on a more and more precise solution. Dr. Joseph Kvedar has called this comprehensive approach connected health and has formed both a conference and a book around it. BaseHealth, a predictive analytics company in healthcare, has teamed up with TriVita to offer a consumer-based service around this approach, which combines access to peer-reviewed research with fine-tuned guidance that taps into personal health and behavioral data and leverages the individual interests of each participant.

I have previously written about BaseHealth’s assessment engine, which asks individuals for information about their activities, family history, and health conditions in order to evaluate their health profile and risk for common diseases. TriVita is a health coaching service with a wide-ranging assessment tool and a number of products, including cutely named supplements such as Joint Complex and Daily Cleanse. TriVita’s nutritionists, exercise coaches, and other staff are overseen by physicians, but their service is not medical: it does not enter the heavily regulated areas where clinicians practice.

I recently talked with BaseHealth’s CEO, Prakash Menon, and Dan Hoemke, its Vice President of Business Development. They describe BaseHealth’s predictive analytics as input that informs TriVita’s coaching service. What I found interesting is the sets of data that seem most useful for coaching and behavioral interventions.

In my earlier article, I wrote, “BaseHealth has trouble integrating EHR data.” Menon tells me that getting this data has become much easier over the past several months, because several companies have entered the market to gather and combine the data from different vendors. Still, BaseHealth focuses on a few sources of medical data, such as lab and biometric data. Overall, they focus on gathering data required to identify disease risk and guide behavior change, which in turn improves preventable conditions such as heart disease and diabetes.

Part of their choice springs from the philosophy driving BaseHealth’s model. Menon says, “BaseHealth wants to work with you before you have a chronic condition.” For instance, the American Diabetes Association estimated in 2012 that 86 million Americans over the age of 20 had prediabetes. Intervening before these people have developed the full condition is when behavioral change is easiest and most effective.

Certainly, BaseHealth wants to know your existing medical conditions. So they ask you about them when you sign up. Other vital signs, such as cholesterol, are also vital to BaseHealth’s analytics. Through a partnership with LabCo, a large diagnostics company in Europe, they are able to tap into lab systems to get these vital signs automatically. But users in the United States can enter them manually with little effort.

BaseHealth is not immune to the industry’s love affair with genetics and personalization, either. They take about 1500 genetic factors into account, helping them to quantify your risk of getting certain chronic conditions. But as a behavioral health service, Menon points out, BaseHealth is not designed to do much with genetic traits signifying a high chance of getting a disease. They deal with problems that you can do something about–preventable conditions. Menon cites a Health 2.0 presentation (see Figure 1) saying that our health can, on average, be attributed 60 percent to lifestyle, 30 percent to genetics, and 10 percent to clinical interventions. But genetics help to show what is achievable. Hoemke says BaseHealth likes to compare each person against the best she can be, whereas many sites just compare a user against the average population with similar health conditions.

Relative importance of health factors

Figure 1. Relative importance of health factors

BaseHealth gets most of its data from conditions known to you, your environment, family history, and more than 75 behavioral factors: your activity, food, over-the-counter meds, sleep activity, alcohol use, smoking, several measures of stress, etc. BaseHealth assessment recommendations and other insights are based on peer-reviewed research. BaseHealth will even point the individual to particular studies to provide the “why” for its recommendations.

So where does TriVita fit in? Hoemke says that BaseHealth has always stressed the importance of human intervention, refusing to fall into the fallacy that health can be achieved just through new technology. He also said that TriVita fits into the current trend of shifting accountability for health to the patient; he calls it a “health empowerment ecosystem.” As an example of the combined power of BaseHealth and TriVita, a patient can send his weight regularly to a coach, and both can view the implications of the changes in weight–such as changes in risk factors for various diseases–on charts. Some users make heavy use of the coaches, whereas others take the information and recommendations and feel they can follow their plan on their own.

As more and more companies enter connected health, we’ll get more data about what works. And even though BaseHealth and TriVita are confident they can achieve meaningful results with mostly patient-generated data, I believe that clinicians will use similar techniques to treat sicker people as well.

Steps In Integrating Patient-Generated Health Data

Posted on May 24, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As the number of connected health devices in use has expanded, healthcare leaders have grappled with how to best leverage the data they generate. However, aside from a few largely experimental attempts, few providers are making active use of such data.

Part of the reason is that the connected health market is still maturing. With health tracking wearables, remote monitoring set-ups, mobile apps and more joining the chorus, it might be too soon to try and normalize all this data, much less harvest it for clinical use. Also, few healthcare organizations seem to have a mature strategy in place for digital health.

But technical issues may be the least of our problems. It’s important to note that providers have serious concerns around patient-generated health data (PGHD), ranging from questions about its validity to fears that such data will overwhelm them.

However, it’s possible to calm these fears, argues Christina Caraballo, senior healthcare strategist at Get Real Health.  Here’s her list of the top five concerns she’s heard from providers, with responses that may help put providers at ease:

  • Fear they’ll miss something in the flood of data. Add disclaimers, consent forms, video clips or easy-to-digest graphics clarifying what consumers can and can’t expect, explicitly limiting provider liability.
  • Worries over data privacy and security: Give consumers back some of the risk, by emphasizing that no medium is perfectly secure, including paper health records, and that they must determine whether the benefits of using digital health devices outweigh the risks.
  • Questions about data integrity and standardization: Emphasize that while the industry has made great process and standardization, interoperability, authentication, data provenance, reliability, validity, clinical value and even workflow, the bottom line is that the data still comes from patients, who don’t always report everything regardless of how you collect the data.
  • Concerns about impact on workflow: Underscore that if the data is presented in the right framework, it will be digestible in much the same way as other electronic medical data.
  • Resistance to pressure from consumers: Don’t demand that providers leverage PGHD out of the gate; instead, move incrementally into the PGHD management by letting patients collect data electronically, and then incorporate data into clinical systems once all stakeholders are on board.

Now, I’m not totally uncritical of Ms. Caraballo’s article. In particular, I take issue with her assertion that providers who balk at using PGHD are “naysayers” who “simply don’t want to change.” While there are always a few folks fitting this description in any profession, the concerns she outlines aren’t trivial, and brushing them off with vague reassurances won’t work.

Truthfully, if I were a provider I doubt I would be comfortable relying on PGHD, especially biometric data. As Ingrid Oakley-Girvan of Medable notes, wearables giant Fitbit was hit with a lawsuit earlier this year alleging that its heart rate monitoring technology is inaccurate, and I wouldn’t be surprised other such suits arise. Digital health trackers and apps have transitioned from novelty to quasi-official medical device very quickly — some might say too quickly – and being cautious about their output just makes sense.

Nonetheless, PGHD will play a role in patient care and management at some point in the future, and it makes sense to keep providers in the loop as these technologies progress. But rushing them into using such data would not be wise. Let’s make sure such technologies are vetted before they assume a routine role in care.

Patient Portal Security Is A Tricky Issue

Posted on April 25, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Much of the discussion around securing health data on computers revolves around enterprise networks, particularly internal devices. But it doesn’t hurt to look elsewhere in assessing your overall vulnerabilities. And unfortunately, that includes gaps that can be exposed by patients, whose security practices you can’t control.

One vulnerability that gets too little attention is the potential for a cyber attack accessing the provider’s patient portal, according to security consultant Keith Fricke of tw-Security in Overland Park, Kan. Fricke, who spoke with Information Management, noted that cyber criminals can access portal data relatively easily.

For example, they can insert malicious code into frequently visited websites, which the patient may inadvertently download. Then, if your patient’s device or computer isn’t secure, you may have big problems. When the patient accesses a hospital or clinic’s patient portal, the attacker can conceivably get access to the health data available there.

Not only does such an attack give the criminal access to the portal, it may also offer the them access to many other patients’ computers, and the opportunity to send malware to those computers. So one patient’s security breach can become a victim of infection for countless patients.

When patients access the portal via mobile device, it raises another set of security issues, as the threat to such devices is growing over time. In a recent survey by Ponemon Institute and CounterTack, 80% of respondents reported that their mobile endpoints have been the target of malware the past year. And there’s little doubt that the attacks via mobile device will more sophisticated over time.

Given how predictable such vulnerabilities are, you’d think that it would be fairly easy to lock the portals down. But the truth is, patient portals have to strike a particularly delicate balance between usability and security. While you can demand almost anything from employees, you don’t want to frustrate patients, who may become discouraged if too much is expected from them when they log in. And if they aren’t going to use it, why build a patient portal at all?

For example, requiring a patient to change your password or login data frequently may simply be too taxing for users to handle. Other barriers include demanding that a patient use only one specific browser to access the portal, or requiring them to use digits rather than an alphanumeric name that they can remember. And insisting that a patient use a long, computer-generated password can be a hassle that patients won’t tolerate.

At this point, it would be great if I could say “here’s the perfect solution to this problem.” But the truth is, as you already know, that there’s no one solution that will work for every provider and every IT department. That being said, in looking at this issue, I do get the sense that providers and IT execs spend too little time on user-testing their portals. There’s lots of room for improvement there.

It seems to me that to strike the right balance between portal security and usability, it makes more sense to bring user feedback into the equation as early in the game as possible. That way, at least, you’ll be making informed choices when you establish your security protocols. Otherwise, you may end up with a white elephant, and nobody wants to see that happen.

The Power of WeChat for Chinese Health Trackers

Posted on March 24, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been meaning to write this post ever since CES at the start of this year. It was one of the most impressive and interesting things I saw at CES. However, it requires a real international perspective to understand the impact of the story. Hopefully I can flesh it out for you.

While at CES I ran into a company called Lifesense (All in Chinese). I almost didn’t stop at their booth because their booth was in Chinese, but I did recognize the pictures they had and the guy at the booth came out and said hi. I try to respectful so I stopped and talked for a minute.

At first appearance I just thought they were one of the hundreds of copy cat companies I’d seen all over the Fitness area of CES. They had a fitness tracker, a scale, a blood pressure cuff, etc. I guess in some ways they were/are a copy cat company since none of those things made them special (at least nothing I could see). However, it turned out that there was more than meets the eye and there was a reason their booth and website were in Chinese.

Turns out that Lifesense was only in China. They had no US presence (although, he thought that one day they might). As someone who’s always curious I wondered how well their health tracking products had done in China. He then recounted to me that they were lucky to be major partners with WeChat and so they’d had tremendous success in the Chinese market.

This is where I got most interested. For those not familiar with WeChat, it’s the go to IM/SMS/Facebook Messenger/SnapChat/Kik/Whatsapp/etc app for China. Everyone in China is pretty much on WeChat. Plus, unlike the companies that I just listed WeChat also has a built in commerce platform and engine for running third party apps. It’s amazing to think that an IM platform could be so powerful, but WeChat has shown that it can be. You literally can order Pizza or an Uber from within WeChat.

With that in mind, building a health tracking platform on WeChat solves so many of the challenges that US based fitness tracking applications have going against them. Take for example the experience with Fitbit. You can connect with your friends and “compete” against them to see who takes the most steps. However, it can be a pain to get all of your friends on the Fitbit platform so you can compete. Plus, this doesn’t even take into account that your friend has to have a Fitbit device.

Turns out that since Lifesense has built their Fitness tracking on WeChat, they can already connect you to all your other friends that are tracking their fitness with no work on your part. That feature literally just comes built in with WeChat. That’s so incredibly powerful since the social element to health is so important.

The problem in the US is that we don’t have a WeChat. There are a lot of platforms that are trying to do what WeChat’s done in China in the US, but they still have a long ways to go. Plus, it’s hard to imagine them ever becoming the dominant force that WeChat is in China.

As usual, I think there’s lots that we can learn from other countries. I think that’s the case with simple integrations like WeChat that open up all sorts of easy doors to improving health.

Here are some screenshots of the LifeSense app in WeChat for those that are interested to see how the app looks on top of WeChat:

Accessing Near-Real Time Patient Data In & Out of the Hospital with Alan Portela

Posted on March 15, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

UPDATE: If you missed the live video of this chat with Alan Portela, you can watch the recorded version below:

Accessing Near-Real Time Patient Data In and Out of the Hospital

On Thursday, March 17, 2016 at 3 PM ET (Noon PT) join us for a live video interview with Alan Portela, CEO of AirStrip. Alan is one of the most insightful people I’ve ever met in healthcare. He has a great mix of experience and vision for what’s happening in healthcare IT and where it needs to go in the future. Not to mention he understands some of the reasons it hasn’t gotten there yet. I always learn something when I talk with Alan and so I’m excited to share this live interview with the Healthcare Scene community.

The great part is that you can join my live conversation with Alan and even add your own comments to the discussion or ask him questions. All you need to do to watch live is visit this blog post on Thursday, March 17, 2016 at 3 PM ET (Noon PT) and watch the video embed at the bottom of the post or you can subscribe to the blab directly. We’ll be doing a more formal interview for the first 30 minutes and then open up the Blab to others who want to add to the conversation or ask us questions. The conversation will be recorded as well and available on this post after the interview.

We hope you’ll join us live or enjoy the recorded version of our conversation. You won’t be disappointed by Alan Portela’s insights into the world of near real-time streaming of health data to mobile devices. AirStrip has done some really amazing things in this regard and Alan has a deep knowledge of this industry.

If you’d like to see the archives of Healthcare Scene’s past interviews, you can find and subscribe to all of Healthcare Scene’s interviews on YouTube.

Access to Encrypted iPhones – The Apple Encryption Debate

Posted on February 19, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The tech world is in a frenzy over the letter Apple’s CEO Tim Cook sent to the FBI in response to a request for Apple to create essentially a backdoor to be able to access the San Bernardino terrorists iPhone. It’s a messy and a complex situation which puts government against industry and privacy advocates against security advocates. Tim Cook in his letter is right that “this moment calls for public discussion.”

My favorite venture capitalist blogger, Fred Wilson, summed it up best for me when he said this in response to Tim Cook’s assertion that the contents of your iPhone are none of Apple’s business:

That is not an open and shut case to me.

Of course I’d like the contents of my iPhone to be out of reach of everyone other than me. But if that means the contents of the iPhones of child pornographers, sex slaverunners, narco gangsters, terrorists, and a host of other bad people are “none of our business” then that gives me pause.

I don’t think we can have it both ways. We have to choose one way or the other.

I think this is also complicated by the fact that Apple had unlocked phones previously. Albert Wenger expresses my fears around this subject:

We cannot and should not be living in digital fortresses any more than we are living in physical fortresses at home. Our homes are safe from thieves and from government not because they couldn’t get in if they wanted to but because the law and its enforcement prevents them from doing so. All we have to do is minimal physical security (lock the doors when you are out).

Please repeat after me: Surveillance is a political and legal problem, not a technical problem.

This quote is particularly interesting to me since this weekend when my family and I were away on a trip for President’s Day weekend, someone broke into our house (Side Note: We’re all fine and they realized once they got in that we didn’t have anything valuable to take. We mostly just had to deal with a broken door).

I feel similar to my favorite VC who said “I am struggling with this issue this morning, and I imagine many others are too.”

Turning to the healthcare perspective, privacy and security of health information is so important. It’s literally the intimate details of your life. I’ve heard some argue that Apple creating a way for the FBI to access this one phone would mean that all of our health information on iPhones would be at great risk of being compromised. I think that’s an exaggeration of what’s happening, but I understand the slippery slope argument.

What’s interesting is that none of us want our healthcare data to be compromised. However, if we were in a coma and the life saving information was on our iPhone, we’d love for someone to have a way to access that information. I’ve seen startup companies who’ve built that ability into the iPhone home screen for just this purpose.

I guess I’m torn on the issue. Privacy is important, but so is security. This weekend I’m going to be chewing on “We cannot and should not be living in digital fortresses any more than we are living in physical fortresses at home.” The problem with this concept is that fortresses are something we can plan and build. The other solutions are much more complex.

Wearable Health Trackers Could Pose Security Risks

Posted on February 1, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Last October, security researchers made waves when they unveiled what they described as a 10-second hack of a Fitbeat wearable health tracker. At the Hack.Lu 2015 conference, Fortinet security researcher Axelle Apvrille laid out a method for hacking the wearable through its Bluetooth radio. Apparently, Aprville was able to infect the Fitbit Flex from as much as 15 feet away, manipulate data on the tracker, and use the Flex to distribute his code to a computer.

Fitbit, for its part, denied that its devices can serve as vehicles for infecting users with malware. And Aprville himself admitted publicly that his demonstration was more theoretical than practical. In a tweet following the conference, he noted that he had not demonstrated a way to execute malicious code on the victim’s host.

But the incident does bring attention to a very serious issue. While consumers are picking up health trackers at a breathless pace, relatively little attention has been paid to whether the data on these devices is secure. Perhaps even more importantly, too few experts are seeking ways to prevent these devices can be turned into a jumping-off point for malware. After all, like any other lightly-guarded Internet of Things device, a wearable tracker could ultimately allow an attacker to access enterprise healthcare networks, and possibly even sensitive PHI or financial data.

It’s not as though we aren’t aware that connected healthcare devices are rich hunting grounds. For example, security groups are beginning to focus on securing networked medical devices such as blood gas analyzers and wireless infusion pumps, as it’s becoming clear that they might be accessible to data thieves or other malicious intruders. But perhaps because wearable trackers are effectively “healthcare lite,” used almost exclusively by consumers, the threat they could pose to healthcare organizations over time hasn’t generated a lot of heat.

But health tracker security strategies deserve a closer look. Here’s some sample suggestions on how to secure health and fitness devices from Milan Patel, IoT Security Program Director at IBM:

  • Device design: Health tracker manufacturers should establish a secure hardware and software development process, including source code analysis to pinpoint code vulnerabilities and security testing to find runtime vulnerabilities. Use trusted manufacturers who secure components, and a trusted supply chain. Also, deliver secure firmware/software updates and audit them.
  • Device deployment:  Be sure to use strong encryption to protect privacy and integrity of data on the device, during transmission from device to the cloud and on the cloud. To further control device data, give consumers the ability to set up user and usage privileges for their data, and an option to anonymize the data.Secure all communication channels to protect against data change, corruption or observation.
  • Manage security:  Include trackers in the set of technology being monitored, and set alerts for intrusion. Audit logging is desirable for the devices, as well as the network connections and the cloud. The tracker should ideally be engineered to include a fail-safe operation — dropping the system down to incapability, safely — to protect against attacks.

This may sound like a great deal of effort to expend on these relatively unsophisticated devices. And at present, it just may be overkill. But it’s worth preparing for a world in which health trackers are increasingly capable and connected, and increasingly attractive to the attackers who want your data.

Security Concerns Threaten Mobile Health App Deployment

Posted on January 26, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Healthcare organizations won’t get much out of deploying mobile apps if consumers won’t use them. And if consumers are afraid that their personal data will be stolen, they’ve got a reason not to use your apps. So the fact that both consumers and HIT execs are having what I’d deem a crisis of confidence over mHealth app security isn’t a good sign for the current crop of mobile health initiatives.

According to a new study by security vendor Arxan, which polled 815 consumers and 268 IT decision-makers, more than half of consumer respondents who use mobile health apps expect their health apps to be hacked in the next six months.

These concerns could have serious implications for healthcare organizations, as 76% of health app users surveyed said they would change providers if they became aware that the provider’s apps weren’t secure. And perhaps even more significantly, 80% of consumer health app users told Arxan that they’d switch to other providers if they found out that the apps that alternate provider offered were better secured. In other words, consumer perceptions of a provider’s health app security aren’t just abstract fears — they’re actually starting to impact patients’ health decision making.

Perhaps you’re telling yourself that your own apps aren’t terribly exposed. But don’t be so sure. When Arxan tested a batch of 71 popular mobile health apps for security vulnerabilities, 86% were shown to have a minimum of two OWASP Mobile Top 10 Risks. The researchers found that vulnerable apps could be tampered with and reverse-engineered, as well as compromised to provide sensitive health information. Easily-done hacks could also force critical health apps to malfunction, Arxan researchers concluded.

The following data also concerned me. Of the apps tested, 19 had been approved by the FDA and 15 by the UK National Health Service. And at least where the FDA is concerned, my assumption would be that FDA-tested apps were more secure than non-approved ones. But Arxan’s research team found that both FDA and National Health Service-blessed apps were among the most vulnerable of all the apps studied.

In truth, I’m not incredibly surprised that health IT leaders have some work to do in securing mobile health apps. After all, mobile health app security is evolving, as the form and function of mHealth apps evolve. In particular, as I’ve noted elsewhere, mobile health apps are becoming more tightly integrated with enterprise infrastructure, which takes the need for thoughtful security precautions to a new level.

But guidelines for mobile health security are emerging. For example, in the summer of last year, the National Institute of Standards and Technology released a draft of its mobile health cybersecurity guidance, “Securing Electronic Records on Mobile Devices” — complete with detailed architecture. Also, I’d wager that more mHealth standards should emerge this year too.

In the mean time, it’s worth remembering that patients are paying close attention to health apps security, and that they’re unlikely to give your organization a pass if they’re hacked. While security has always been a high-stakes issue, the stakes have gotten even higher.