Mobile Health (mHealth) Security Matters and Mitigation

While it has only just emerged this century, the use of mobile health technology (mHealth) in the delivery and management of healthcare is gaining traction due to the global implementation of health information technology. This is exemplified mostly by electronic health record (EHR) systems, wherein patients’ health information resides on computers and travels on computer networks. Normally, the information stored on computers is accessed through wires and is limited to places where such infrastructure exists. With the advent of wireless technology, electronic health information can be accessed by anybody, anytime from anywhere and on any mobile device as long as wireless connectivity is available. Despite this advantage, the security of health information stored on and accessed through mobile devices is cause for public concern. Wireless communication is prone to hacking, and mobile devices, given their size and value, increase the chance they will be lost or stolen.

mHealth is defined as the use of mobile devices (mDevices) in the practice of medicine. These include mobile/cellphones, iPads, tablets, personal and notebook (laptop) computers, personal digital assistants (PDAs), and similar other devices that use wireless technology to access health information networks. Such devices often use radio waves for communication either through central access points (hot spots) or satellites. Of these, mobile phones have emerged as the greatest mobile technology gadgets.

Since wireless signals travel through the atmosphere, diffuse in all directions, and can pass through most physical barriers, they are liable be intercepted. The intent of this article is to review wireless technology, its use in healthcare, its security issues, and best practices to make safe use of this novel technology for the delivery and management of healthcare.

Types of mHealth Security

Before discussing the security of mHealth, it is appropriate to enumerate four types of information security requirements: physical, network, application, and user security.

Physical security implies the security of computers, network hardware, and storage media against intruders and natural disasters. The most common mitigative security measures for this purpose includes using ID badges and biometric authentication for entry to premises, locking computers with desks, and regular backups for data restoration in case of any human-made or natural disasters.

Network security denotes the protection of data and information residing on computers and in transit over the network/internet through techniques like encryption (encodes data, rendering it unreadable by unauthorized persons) and technologies such as firewalls (controls both inbound and outbound data based on the nature of traffic and source); virtual private networks (makes private data communication channel in the public network such as internet); network intrusion detection (notifies the network administrator of any intrusion by email, text message, alert); and intrusion detection and prevention systems (blocks intruder and reports to network administrator).

Application security requires validation of services accessing the information, level of information access and use permissions, software patches and updates, software logs, and input validation techniques (best defense against malware/spyware injection).

User security is a three-step process that entails user identification through user ID, authentication through password, biometric or two-factor authentication (verifies user), and authorization through permissions (what the user can access and do).

Data Transmission Media

Data and information on the network travels either on wires (wireline transmission media)—the most common being the copper cables (network and coaxial or TV cables) and fiber optic (FO) cables—or wirelessly through the atmosphere. For the discussion of data security, it is pertinent to examine how data travels on these two types of transmission media and their security vulnerabilities.

Wireline Transmission Media

The two types of wireline transmission media are copper cables and fiber optic (FO) cables. Copper cables transmit data through voltages (electrical signals), called electromagnetic (EM) waves, as pulses (5 volts representing 1) or no pulses (representing 0). The data from these cables can be stolen by placing a device close to the cable, which can sense pulses and covert them back to 1s and 0s. To avoid this, some copper cables are shielded (covered with aluminum foil) to stop pulses from being detected externally. One typical example of this type of cable is TV (coaxial) cable that not only shields data being braided but can also transmit it at multiple voltage levels, thus catering to the needs of TV, internet, and digital phone requirements simultaneously. Contrary to the copper cables, FO cables are made of glass or highly transparent plastic and transmit data as light pulses. Its twofold benefits include data transmission at almost the speed of light (several times faster than copper cables) and data security, as light pulses cannot be detected externally. Besides being fast and secure, FO cables transmit data in multiple frequencies, enabling several data channels in one cable (video, internet, phone). Verizon FiOS is one such example.

Wireless Media

Wireless signals are also EM waves, but unlike the wireline media, they travel through the air or atmosphere at different frequencies (amplitudes). They are advantageous in areas where wired networks cannot be set up (old and historical buildings) or are required temporarily (training or classroom setup). Because the wireless signals radiate in all directions and can pass most physical barriers, they are very valuable in hospital environments or healthcare organizations with mobile workforces. However, they are the least secure, as they can easily be intercepted by monitoring devices, and data can be interrupted, interjected, modified, stolen, rendered unusable, or even destroyed.

Mobile Technology (mTechnology)

mTechnology is based on wireless technology that moves with the user. It is a portable two-way communication network and includes internet-enabled devices like smartphones, tablets, notebook computers, and navigation devices. mTechnology touches all aspects of our daily lives from starting the day with the alarm clock in your phone; managing the day through your calendar, reminders, and notes; communicating through emails, texts, social media; and accessing online information like maps, books, magazines, files, photos, and videos. The common four types of mTechnologies are:

• Cellular or radio networks: Use distributed cell towers that enable mobile devices (cellphones) to switch frequencies automatically and communicate without interruption across large geographic areas.
• Packet switching technology (5G network): Organizes data into packets for transmission and reassembles packets into information at destination.
• Wi-Fi: Radio waves that connect devices to internet through localized routers.
• Bluetooth: Connects devices over short distances using short-wavelength radio waves.

Mobile Health (mHealth)

mHealth is the use of mTechnology in healthcare. The World Health organization (WHO) defines mHealth as the “use of mobile and wireless technologies to support the achievement of health objectives,”¹ while the National Institutes of Health (NIH) describes it as “use of mobile and wireless devices to improve health outcomes, healthcare services, and healthcare research.”²

Thus, mHealth is the practice of medicine and healthcare over mobile devices, like smartphones, tablets, and iPads, such as eVisit (only mode of remote healthcare delivery service during COVID-19 pandemic). Although traditionally used for wellness management, their use for healthcare both by patients and providers has increased exponentially.³

Currently, mHealth technologies are being used for patient monitoring, patient-provider communication, telehealth, and e-health. Although the lines between telehealth (also referred to as telemedicine) and e-health are blurred, they are two different technologies. E-health is the electronic communication of information for improving patient’s health, while telehealth uses video, smartphones, or any wireless tools or telecommunications technology (network/internet) for specific healthcare delivery and is named after the type of healthcare service: telenursing, telepharmacy, telerehabilitation, teleradiology, teletrauma care, telepsychiatry, telepathology, and teledermatology. Telehealth requires license and an infrastructure to practice, while e-health has no such requirements. Both became routine during COVID-19 pandemic.

mHealth Security

The global health data breaches in 2020 increased to 24.5 percent against financial services breaches (7.3 percent), once being the reverse.⁴ Thus, it is pertinent to elaborate on some mHealth security issues to understand their specific security vulnerabilities.

Mobile devices use air interface to communicate and transmit data through the atmosphere. The wireless medium is broadcast (signals diffuse in all directions), and signals can pass through physical barriers (e.g., walls, roofs, and concrete). They are vulnerable to active (through injecting, deleting, altering the message) or passive (redirecting the information) attacks. The signals traveling through the atmosphere can be intercepted, modified, destroyed, hacked, and rendered unusable through ransomware. Being portable, mobile devices are small and lucrative and can be lost or stolen along with data, have low processing power to handle encryption, and can use public unsecure Wi-Fi. Bring your own device (BYOD) policies poses additional risks of healthcare cybersecurity, as healthcare workers can use their own devices to access organizational network, access patient data, and enter medical orders. BYOD policies are advantageous because of higher productivity, as the providers can access health information from anywhere and anytime; they increase job satisfaction by supporting flexible work arrangements; and they increase effectiveness due to more comfort and speed with the use of people’s own devices. However, they suffer from several disadvantages, like data breaches due to lost or stolen personal devices, lack of firewall and anti-virus software, dearth of encryption power, and increased IT costs for supporting personal devices.

HIPAA and mHealth

HIPAA requires security of the protected health information (PHI) through its Security Rule that mandates the security of health information through a three-pronged approach: administrative (policy-based), physical (physical access to facility, workstation, and storage devices), and technical (technological requirements to control access to information).⁵ mHealth devices have potential HIPAA Security Rule compliance issues such as physical loss or theft of devices, data transmission over unsecured Wi-Fi, unencrypted text messages/emails, inadequate or lack of authentication protocols, and poor adherence to BYOD policies and procedures.

Beside the potential to have HIPAA security compliance issues, other specific mHealth device issues include interference with implanted medical devices (pacemakers) and their use in monitoring vital signs and supporting life-threatening and critical care situations that use a part of electromagnetic spectrum, like mobile devices. They also suffer from diagnostic interpretations due to small screen size, which may conceal some crucial details in EKG, ultrasound, MRI, and X-rays.

Best Security Practices for Securing mHealth Devices

Although no technique or technology can provide fool-proof security for the data contained in mHealth devices or accessed through them, some measures can minimize the security risks. These include implementation of strong user authentication (biometric or two-factor authentication), automatic lock after excessive number of incorrect logins, remote wiping when a device is lost or stolen, employing encryption for conversations (emails, text messages), developing an application policy for BOYD devices, regular updating to keep vulnerabilities mitigated, and installing security programs/antivirus, as being networked they are apt to all sorts of malware attacks.

Internet of Things in Healthcare (IoHT)

Yet another breed of mHealth devices are Internet of Healthcare Things (IoHT) or Internet of Medical Things (IoMT) devices, which is the use of Internet of Things (IoT) in healthcare. IoHT devices are sensor-based interconnected devices used for tracking assets and resources. In hospitals, they can be used for locating patients, medical staff, and visitors (called smart hospitals), and collection and integration of health data (generation, collection, and communication of health data through wearable devices).⁶ Other benefits of IoHT devices include savings in medical cost, reduction in medical errors, improved patient experience, manageability of medical drugs and adherence, better control over wastage in healthcare sector, and better outcomes of medical treatments.

Security Mitigation of IoHT Devices

Mitigation of security for IoHT devices include both technological and administrative measures. The technological mitigation measures comprises use of blockchain technology to protect data in IoHT devices, enable IoHT devices to use authentication to validate user identity and access privileges, enable IoHT devices to use encryption for all health-related communication, enable integrity on IoHT devices to verify devices to ensure that they are unaltered and uninterrupted, and ensure IoHT devices are patched and updated to avert any vulnerability.

The administrative mitigation measures comprise using the principle of least privilege for required actions and types of communication, logging all user activities and events and monitoring them regularly for unusual activities (duplicate device ID or elevation in privileges), reviewing device data regularly to identify unusual trends or patterns, implementing security best practices associated with protecting and securing sensitive data, and conducting formal education, training workshops, certifications, and participation in mobile security conferences.

Future of IoHT

IoHT devices have a great future in healthcare applications, especially through the integration of artificial intelligence with IoHT in the form of ingestible sensors (ePills, which are pill-sized devices to monitor internal physiology and act as diagnostic devices sending medical information and images to outside connected devices); nano-devices to monitor human physiology and deliver drugs to targeted areas like cancer cells; connected lenses that would determine tear glucose and eyes diseases; and blood clot monitoring sensors to avert heart attacks. Their potential healthcare implications include smart hospitals, virtual clinics, microsurgery, vital sign monitoring systems (which can analyze real-time data inputs from critically ill intensive care unit patients), activity trackers for heart patients to collect lifestyle information, and fitness wearables, to name a few.

In view of the significance of mTechnology in healthcare, the Journal of Mobile Technology in Medicine is published to disseminate the mHealth research results.

Notes

1. World Health Organization. https://www.who.int/goe/publications/goe_mhealth_web.pdf
2. National Institutes of Health. https://grants.nih.gov/grants/guide/pa-files/PAR-14-028.html
3. Phaneuf, A. “How mHealth apps are providing solutions to the healthcare market’s problems” (2019). Retrieved form What Is MHealth? Apps, Examples & Mobile Health Industry Trends (businessinsider.com).
4. US Department of Health & Human Services. “A Retrospective Look at Healthcare Cybersecurity.” 2020. https://www.hhs.gov/sites/default/files/2020-hph-cybersecurty-retrospective-tlpwhite.pdf
5. US Department of Health & Human Services. Summary of the HIPAA Security Rule Guidance Portal. https://www.hhs.gov/guidance/document/summary-hipaa-security-rule-1
6. Bajwa, M. “Opportunities and Challenges for Internet of Things in Healthcare (IoHT).” International Journal of General Medicine and Pharmacy (IJGMP): Vol. 9 (2020): 1-4.

Mohammad Bajwa (mohammad.bajwa@UMGC.edu) is a professor of health informatics at the University of Maryland-Global Campus.