Data privacy concerns about digital health data
Concerns have been raised whether health apps threaten the privacy of sensitive data.
Ross Campbell, life / health chief underwriter, research & development at Gen Re, raised the issue in article for reinsurer Gen Re.
Campbell notes the growing use of smartphone apps and wearable devices to generate personal health and lifestyle data poses a dilemma for privacy.
He says: “While individuals have much to gain using apps to help them manage ongoing health concerns, including better understanding of their health, the privacy of the data itself may be at risk.”
Campbell explains that consumer-grade devices that link across Internet networks are rather vulnerable to security attack (hacking).
He says the levels of security that can be tolerated by users fall short compared to enterprise networks. The portability of wearables and smart devices, carelessness with passwords and lack of encryption means confidential data is much more at risk of being stolen.
“Apps use a programme interface (API) to access sensors in devices themselves – GPS, messages, even the camera – and to collect data. Many apps combine data to draw conclusions (accurate or otherwise) about the user’s state of health. Some insurers are already using activity data from fitness trackers to enhance products. It seems likely the trend will continue as apps become more sophisticated and hardware develops broader appeal,” says Campbell.
Campbell explains that US federal and state laws require published policies concerning the use, disclosure and safeguarding of personal data by mobile apps.
He writes: “Health data are subject to special restrictions. In addition to imposing restrictions on sale and disclosure on all personal data on apps, EU data protection directives and national laws also have more restrictions for health data; for example, explicit consent requirements.
“Apps must comply with all applicable legal requirements for processing health data and personal data more generally, including consent requirements of various levels of specificity and explicitness for different types of uses and disclosures of different types of personal data.”
In Campbell’s view, it may not occur to most users of a fitness app that their personal data will be disclosed to the device manufacturers, who may sell it to third-party advertisers or share it with data aggregators.
“The terms and conditions of apps are not always read or the developer is based beyond national legal boundaries. The relatively short life cycle of many apps could also mean personal data may end up lost as the apps become defunct.”
Campbell concludes: “Underwriters and claims assessors will process increasing levels of digital health data in their day-to-day work in future. However, if patients cannot believe the health data they store in apps is private, they may resist calls from clinicians to use them.
“It’s important to address concerns over data privacy or failures to protect individual’s sensitive information, so patients’ resistance does not stall this innovation.”