What Privacy Risks are Associated with mHealth Technologies?

Executive Summary

We gathered some interesting information from The National Center for Biotechnology Information (NCBI) regarding mHealth technology and the risks associated with its use. This article summarizes this information and provides links to related resources below.

Mobile healthcare (mHealth) technologies have the potential to improve healthcare quality, wellness, access to healthcare options and reduce costs. With the rise of technological innovation, the use of mobile healthcare has increased largely within the consumer base. Mobile healthcare has been embraced for its many advantages, however, mobile healthcare has multiple risks regarding privacy, software assurance, and security. These risks arise from the following trends:

  • Healthcare systems are seeking more efficient and less expensive ways to care for patients, thus the point of care is shifting;
  • Outside monitoring is becoming more prevalent, pushing healthcare institutions to seek more innovative methods of keeping populations healthy;
  • Mobile consumer devices are being adopted so quickly that it is difficult to protect sensitive health-related information;
  • Emerging threats target health IT systems, and new regulations arise to protect medical integrity and patient privacy;
  • Rapid technology advances increase the chance of breaches; and
  • Healthcare organizations lack the technology to secure patient data.


We are interested in generating some discussion on this topic - please check out our Healthcare Privacy Community of Practice and join the conversation.


What is mHealth Technology?

mHealth refers to mobile technologies which have the ability to monitor the user's health. mHealth has four different categories as defined by NCBI:

  • Physiological monitoring: measuring, recording, and reporting physiological parameters such as heart rate and blood pressure.
  • Activity and behavior monitoring: measuring, recording, and reporting movement and physical and social activity as well as health-related behaviors such as eating and addictive behaviors.
  • Information access: accessing health-related data—for example, medical records, activity, or behavior data—and decision-support tools.
  • Telemedicine: communication between patients and caregivers and/or providers—for example, a virtual doctor visit or a patient receiving personal encouragement from a caregiver support team.

Data Managment and Consent

Many mHealth technologies raise the question of consent since they collect and distribute the personal data of patients/consumers. Data is also stored for later analysis by caregivers, physicians, and providers. Information is often transmitted over wireless networks, which can be more susceptible to interception than broadband networks, making security protocols the only barriers protecting data against a breach.

Since mHealth technologies gather such a broad range of information at such a fast pace, often individuals are unaware of the collection of said information. Thus consent can sometimes be breached. For example, it can be assumed that a smartphone, as a personal device is only going to be used by the owner. However, phones can be stolen or borrowed by another person, resulting in the phone’s mHealth apps recording data about the wrong person to the owner’s health record or exposing the owner’s PHI via app displays and notifications. It is then important for a smartphone to know when it is not in the owner’s possession.

Many future mHealth apps will use wearable devices to measure activity. These devices ensure and verify the wearer’s identity to ensure that the data is posted to the correct health record and that any treatment applied is truly intended for the wearer. The goal of effective security protocols is to protect participant identity and secure data if unauthorized individuals were to gain access.

Confidentiality and Anonymity

Mobile-sensor data provides researchers with opportunities to observe physical, biological, behavioral, psychological, social, and environmental factors that contribute to disease. However, mobile-sensor data can also disclose private information about the user. Sharing mobile-sensor data carries re-identification risks. 

Encryption of data is a factor for security that allows for the preservation of anonymity, however, it must be done before the transfer of data. This process hides the content of a message while it is in transit, and the original message can only be seen through a process called decryption. Once data are encrypted and the challenge of anonymity has been addressed, the data collected can be transferred.

Policies and Compliance 

mHealth systems and the information they provide is typically managed by policies. Everyone involved in the mHealth application must trust the system to provide high-integrity data and services while respecting users’ privacy. This trust is partly based on mechanisms built into the technology and trust in the people and organizations manufacturing and distributing devices and using the data. These are the critical foundations for the technological mechanisms. Additionally, this trust builds upon the fact that the user will believe that the information provided is as accurate as possible. Everyone involved in the mHealth application must trust the system to provide high-integrity data and services while respecting users’ privacy. Threats posed by cyber attacks and breaches threaten this. To protect not only data but system inferences and decisions, solutions to such attacks must go beyond the existing barriers. 

Related Resources: