mHealth Data Security, Privacy, and Confidentiality

From MEASURE Evaluation, these two documents - (i) mHealth data security, privacy, and confidentiality guidelines and (ii) an accompanying checklist - have been created in response to the recognition that, as healthcare organisations turn to mobile devices to improve efficiency and productivity, many are introducing risks that could result in a data breach and the exposure of protected health information. Organisations around the world are taking note and providing guidelines on how to safeguard electronic personal health information.

The primary assumption of these guidelines is that, by strengthening technological, administrative, and physical safeguards surrounding mobile devices, sensitive personal health data are also more likely to be kept both private and confidential. In that context:

• (i) The guidelines are intended to strengthen national health information systems (HIS) by providing a tool to guide decisions on security, privacy, and confidentiality of personal health information collected and managed using mobile devices. These guidelines are meant to help mHealth programme managers and ministry of health officials systematically address mHealth data privacy and security issues. For each of the layers of technology, these guidelines explore common vulnerabilities and propose ways to proactively address them to reduce possibilities of data breaches. The guidelines also address overarching topics, such as national data leadership and governance, user behaviour, and training. Other topics are technology-specific, such as mobile devices (hardware), operating systems, applications, networks, and data storage. A case study (mLAB in Kenya) is provided.
• (ii) The checklist aims to help mHealth project managers and HIS officials from ministries of health assess security, privacy, and confidentiality concerns of mHealth programmes. It contains action-oriented steps that organisations and policymakers can take to bolster protections of sensitive data stored in mHealth ecosystems. It has two main goals:
  1. Self-assessment: This checklist is to be used by mHealth managers and ministry of health HIS officials to assess the ability of mHealth programmes to ensure the security, privacy, and confidentiality of sensitive health data. Although there is no built-in scoring system, items in the checklist are considered best practices.
  2. Plan: This checklist aims to help implementers and policy managers identify security, privacy, and confidentiality considerations for mHealth programmes. This checklist is not comprehensive, but it lays out critical elements of a robust security system within mHealth programmes.