Issue 14 / 16 April 2012

DOCTORS using clinical software on their smart phones or tablet computers may be inadvertently putting patient confidentiality at risk, according to a privacy expert.

Dr Juanita Fernando (PhD), part of the mobile health research group at Monash University, told MJA InSight she had been contacted by several patients who had suffered “direct dire consequences” as a result of privacy breaches after doctors used clinical apps on their mobile devices.

She cited the case of a doctor who had updated and uploaded a patient record at home using a clinical app. This was then cached by a metasearch engine, effectively publishing the data in the public domain.

Dr Fernando said these patients had the right to litigate but so far she was not aware of any Australian cases.

She said clinicians’ intellectual property could also be at risk.

Writing in the latest MJA, Dr Fernando said there was a “legal vacuum” in guidelines governing smartphone and tablet use. (1)

“We can either regulate clinical software now or wait and let the courts decide, when legal cases occur”, she wrote.

Dr Fernando told MJA InSight that mobile clinical software could be “incredibly valuable” but there was a need for greater regulation, as well as increased awareness of potential pitfalls.

“There needs to be more advice to clinicians, for example, about what information is being sent on to third parties”, she said.

She said “root-kits” — software applications that are hidden by manufacturers to monitor program performance — posed a number of risks as they could transmit unsecured text and log keystrokes.

Dr Fernando said the solutions were often simple, such as using encryption of data on mobile devices.

Dr Mukesh Haikerwal, national clinical lead of the National E-Health Transition Authority, agreed that there were potential risks of using mobile clinical software.

He suggested that clinical apps be reviewed before use, perhaps using a similar method as that used by the Therapeutic Goods Administration to license therapeutic drugs or devices.

Dr Haikerwal coauthored an editorial in the same issue of the MJA highlighting that Australia has no governance system to ensure e-health safety in general. (2)

“There is currently a gap, stretching from local to national, in safety governance for clinical information systems”, the editorial said.

It emphasised the importance of ensuring systemic safety — even if individual components were safe — but no organisation had either the mandate or the expertise to regulate this.

The concerns were particularly pressing given that the personally controlled e-health records rollout will begin from 1 July.

The editorial said potential harms included drug allergies being incorrectly uploaded from local clinical systems, or medication names and doses being incorrectly imported.

“Given the systemic nature of national e-health, harm events will not be confined to individuals and may affect large groups of patients … At some point, however, patient harm will occur.”

The responsibility for e-health clinical safety may need to fall under the remit of Australia’s Chief Medical Officer, or a specifically designated body, the editorial said.

Dr Haikerwal told MJA InSight that coordinating e-health safety through COAG (Council of Australian Governments) may be the preferable approach to achieve nationally consistent standards.

Dr Sara Bird, manager of medicolegal and advisory services at MDA National, said she had received a number of enquiries from members regarding the privacy, confidentiality and security of e-health data.

Dr Bird often directed concerned doctors to RACGP guidelines on computer security and information security standards. MDA National had established an internal working party on e-health because e-health enquiries from members were increasing.

“It’s reasonable for doctors to be cautious and careful about what they’re doing because the risks are significant if things do go wrong”, Dr Bird said.

However, she said she had not received any enquiries from doctors concerned about their use of mobile apps.

– Sophie McNamara

1. MJA 2012; 196: 437
2. MJA 2012; 196: 430-431

Posted 16 April 2012

5 thoughts on “Privacy concerns over mobile apps

  1. Phillip Chalmers says:

    Is there anyone less interested in this sort of beat-up than I am?
    Patients want so much confidentiality that they tell all and sundry in a loud voice all their problems in the waiting room
    People are so secretive they can be heard in the next carriage as they talk on the mobile electronic communication device of their choice

    The Pentagon, the White House, Microsoft, the Palace, banks, … have all been visited by determined hackers – States now have full time experts working on cyberspying: trying to do it and trying to defend against it

    Get back to me when there exists on Earth the unbreakable network connection, in the meantime BORING

  2. Dr C Perera says:

    Dr Fernando makes some very interesting and valid points in her article addressing mobile app use. The reality of mobile app use amongst doctors is that it will be an ever increasing trend, and represents the natural transition between traditional computers, and newer mobile technologies. Whilst I am sure there are reports of privacy breaches from doctors using mobile devices, I wonder how this compares to privacy breaches arising from unattended hospital computers, poorly maintained desktop computers, or unattended paper files. I do however agree that national guidelines would provide doctors a framework to use these new mobile technologies, and is an issue that needs to be addressed.

    With regards to the clinical accuracy of mobile apps, this too is a very valid concern, and I believe it is up to the medical professionals, and respective advisory bodies to practice evidence based medicine. As Editor-in-Chief of the Journal of Mobile Technology in Medicine (http://www.journalmtm.com), a growing body of literature in the field has been noted, and similar to any other new diagnostic test or treatment, doctors need to be guided by the evidence base.

  3. hamish says:

    I do enjoy a good scare article.

    ” she had been contacted by several patients who had suffered “direct dire consequences” as a result of privacy breaches after doctors used clinical apps on their mobile devices.”

    and yet

    “Dr Fernando said these patients had the right to litigate but so far she was not aware of any Australian cases.”

    So were these cases in Oz or elsewhere.?what were the dire consequences ? Also I would love to know the names of the apps and the search engine. Most apps are quite careful about what data they record now as if they are exposed as sending data back to a cloud without permission it can destroy the reputation off the app and the company that wrote it.

    I use logmein from laptops and iPad to access and update records, but I cant ever be sure that info is not being intercepted, recorded other than the reputation of the company and that they state that its secure.

    It all comes down to trust.

  4. Philip Dawson says:

    There are more than just privacy concerns with mobile “apps”
    Who is checking them against standards? If the user turns off automatic updating of the app, then any updates to fix bugs won’t happen. I agree with the American Medical Association that they shouldn’t be used for patients information. By all means use a calculator on your smartphone/tablet at the bedside to get a drug dose or a CHADS2 score or something, but in general use either the clinical software on your network or the web for clinical applications as these are checked, updated by IT departments and kept secure, unlike smartphones and pads which auto sync to numerous sevices. Nothing on my computer “autosyncs” to the cloud except my firefox bookmarks on my home computer, and gmail, which is not used for patient data. Personally, despite having a smartphone and several “apps” including medscape, some clinical calculators and a general calculator, I don’t actually use any of these in day-to-day practice – there are enough computers around in the surgery, the hospital and the nursing home for me not to have to play with a tiny screen! I suspect the fad for doing these things on small screens is a passing one. I like my 24″ desktop screen, and might even go to a 27″ one.

  5. Barrister says:

    Patients who are traveling have for some time now have been able to access their own medical records at http://mimedikal.com/
    As the patients gain ownership of their own medical records & data, it is a secure medical record storage site. The only person that has access IS THE PATIENT and once data is uploaded cannot be altered. If a mistake is made in the uploading that cannot be undone – it requires additional upload labelled as an amendment that must be posted. It is used world wide

    The Australian Government is rushing at a dangerous rate to implement a faulty system accompanied by a raft of regulations and penalties. That is to disguise the fact that they have wasted a good part of $720 million and the Opposition has yet to capitalise on this – which is bigger than the insulation roll out scandal.

    But if the patient owns and securely controls their own medical record storage, wherever they are at home or travelling in Australia or overseas the government and governments then cannot legislate against this safe personal decision.

    Do you want your personal records from birth to death owned by the government?

Leave a Reply

Your email address will not be published. Required fields are marked *