Mobile health and information security

Technology has played a revolutionary role in the development experienced in the 21st century and mobile technology has been in the forefront of this revolution. Mobile technology has found relevance in every field of endeavour from surveying to geo-mapping, criminal investigation to health care.

According the Nigeria Communication (NCC) there are currently, there are 151,435,693 million mobile phone users in Nigeria, with over 30% of the population using smart phones. Modern health care lends itself to modern technology in many ways, from areas of diabetic care to cardiac monitoring, from adolescent reproductive health to gynaecological monitoring, from disease outreach surveillance to health insurance, the list is endless.

The Nigerian healthcare system faces enormous, such as shortages in the health workforce, poor healthcare facilities, proximity of health facilities, poor health financing among other issues. Mobile health (MHealth) provides an alternative medium for addressing some of these challenges. The introduction of mobile apps on smartphones has made the practise of early detection and treatment easier for medical practitioners.

Some notable initiatives in the field of mHealth in Africa include M-Pedigree used for drug authenticity; Changamka MicroHealth used in health insurance in Kenya; MAMA (Mobile Alliance for Maternal Action) used in the provision of vital health information via SMS and simple voice messages among others.

However, despite the enormous benefits and promises it holds, mHealth faces many obstacles to adoption in Nigeria, this includes but is not limited to; medical training that is yet to incorporate mHealth as part of its curriculum; low level of internet penetration and number of mobile smartphone users; adherence to instructions by patients, (taking into cognizance the non-human interface which may affect some patient adherence to medical prescriptions), information theft and mobile technology security. 

Mobile health information security is a major challenge, especially with the increase in medical apps that are designed for different purposes to obtain daily medical records. The privacy of individuals regarding mobile health technology use has been called into question (information privacy refers to individual’s right to control the acquisition, use, and disclosure of identifiable health data). An example of mobile security concern is the recent fiasco between the Federal Bureau of Investigation (FBI) investigating Syed Rizwan Farook (the terrorist that attacked San Bernardino) and Apple, to unlock the security fixtures of Mr Farooks Apple phone. Despite the advanced security features of Apple products, the FBI was able to use her contractor to unlock the device. With an increase in phishing and hacking were personal information could be intercepted and possibly used for illegal activities such as blackmail, impersonation and others- the security of medical information via mHealth is called into question. This is further encumbered by the lack of specific laws enacted to address security and privacy of mHealth.

It  is worthy of note that the right to privacy of Nigerians is granted under Sections 37, 45 and 46 of the 1999 Constitution of the Federal Republic of Nigeria. This right to privacy under the Constitution covers individual correspondence through telecommunication, subject to some special conditions where the government through appropriate legal approval, may interfere with such privacy. Furthermore, the code of medical ethics also confers the status of confidentiality on information given to physicians by their patients in the principles of respect for autonomy, nonmaleficence, beneficence, and justice. Nigeria’s Medical and Dental Practitioners’Act (Cap. M8, Laws of the Federation of Nigeria, 2004), establishes protections for medical and health data. The Code applies to all medical and dental practitioners and provides that all communications between a patient and a medical or dental practitioner made in the course of treatment are confidential and cannot be disclosed unless compelled by law. The code also makes certain provisions for telemedicine. It provides for the security of a patient’s personal information when that information is stored, sent or received by fax, computer, email, or other electronic means.  

However, this above mentioned legal framework did not address the peculiarity of mHealth especially the medical code which does not traditionally apply beyond the healthcare provider and patient relationship. The national telecommunication policy of 2000, failed to address issues related to mobile technology safety and security. However, in an attempt to close this gap, the government came up with a harmonised national ICT policy 2012. This policy seeks to address some of the issues in the ICT sector. One of the shortfalls of this document is the failure to recognise the security and safety of mobile health information. Security and safety in this document mainly address cyber security and safety, while security and safety of telecommunication was generally mentioned. This creates a lacuna in the protection of privacy and indeed safety and security of health information of Nigerians.

With the increase in the usability of mobile technology and its integration into medicine, government through the relevant agencies should address the grey areas in the national ICT policy and enact laws for mHealth. Such approach should consider the interplay between variables such as custom, law, and technology among other issues as highlighted by the Thomson Reuters Foundation.  In developing a law in this regard, some systematic process should be considered. Such considerations as recommended by Thomson and Reuters foundations in 2013 includes: conduct fact gathering and analysis, determine scope of covered entities and personal data, and determine notice of consent requirements. Furthermore, implement appropriate data security obligations, address data integrity and accessibility, incorporate data minimization principles, consider data transfer parameters and identify credible and feasible enforcement and sanctions mechanisms.

Furthermore, areas such as data breach response and notifications, non-profiling and automated decisions, right to be forgotten, non-transfer to unsafe countries, privacy impact assessments and health records should be considered in the law.

Chimankpam W. Uzoma