MedEdge 2014 -- New Medical Innovations Bring Privacy Dangers

MedEdge 2014 -- New Medical Innovations Bring Privacy Dangers

The 2014 MedEdge Summit was a resounding success. Academics, innovators, entrepreneurs, and practitioners filled the auditorium and networking booths. As one of the lucky attendees, I zoomed in on Dr. Cafazzo’s talk about the significant lack of human use considerations (“reverse human engineering”) in the design of traditional medical products, and the introduction of new innovations that correct these, sometimes deadly, flaws. However, these new innovations bring a set of privacy challenges that can also have dire consequences.


To Err is Human

Dr. Cafazzo stressed that the inaccurate use of medical innovations is a widespread and serious problem. The traditional approach is to blame the patients for this problem, as they the ones who make usage errors. [1]

In contrast, Dr. Cafazzo argues that the cause of many misuse problems can be traced to a lack of human use considerations in product design. The reality is that humans err, thus the expectation that the patients will use the products perfectly each time should be abandoned. Instead, during the creation and design stages, medical innovators must assess and compensate for the degree of usage errors. This view is supported by the U.S.’s Food and Drug Administration [2], which recommends and sometimes requires manufacturers to perform a risk analysis in human misuse of a product before releasing it to the market. However, I am unaware of any Canadian policies that require the same.


I have to pay how much for my own health data? 

Traditional medical innovations fail to provide the patients with easy access to their own health data. Under the Personal Health Information Protection Act [3], health information custodians (including physicians) have exclusive control of the patients’ medical records. Although the custodians are obliged to provide the patients with their own data, they may charge a fee to “reasonably recover” the cost spent in preparing this information. However, in practice, the fee charged is often unaffordable, as in the case of a Thunder Bay woman who, reportedly, was asked to pay $600 to access her own data.


Proposed Solution: Self-Management Internet Platforms and Mobile Apps  

To correct these flaws, most health innovations introduced at MedEdge focuses on being simple and user-friendly, and on giving the users fast and efficient access to their health information.


Dr. Cafazzo’s Centre for Global eHealth developed Breathe, an innovation that encourages asthma patients to understand and self-regulate their health. This mobile application allows the users to access their health information at any place and time. Breathe employs easy-to-read, attractive graphics to display daily and weekly health assessments to users. It encourages the users to take an active role by developing action plans and by competing with other patients to see who best regulates their health. Similar self-management tools introduced at MedEdge includes


Privacy Dangers

Although these new innovations do fix many problems associated with old medical products, they also bring a set of privacy dangers with them. Whereas traditional medical processes like paper files guard patients’ medical records strictly, some new innovations may be more easily hacked and abused.


My concern for privacy issues particularly in mobile health apps and internet platforms comes from two sources. First, the current state of security features in electronic devices is not sufficiently sophisticated.  In a recent study conducted by the Hewlett-Packard Company, it was found that 86% of mobile apps do not have basic security defenses. Last year, the Federal Trade Commission sued HTC America, a mobile device manufacturer, for its lack of security features in applications on smartphones and tablets. These security vulnerabilities enabled malware to be installed without users’ knowledge or consent, allowing hackers to gain access to all of a user's information. HTC settled the case and delivered security patches.  However, it remains questionable if those security updates are sufficient, as the patches delivered by HTC in 2011 failed to stop the hackers. 


Nevertheless, I do acknowledge that significant global efforts have been made towards better privacy protections.  In 2013, the European Union issued a directive [4] that requires its member states to assess and manage privacy risks in the information systems under their control. In the same year, the U.S. passed the Cyber Intelligence Sharing and Protection Act, which facilitates the sharing of cyber threat intelligence in order to increase cyber security. In 2012, ten Asian countries agreed to implement ASEAN’s Information and Communications Plan [5], which seeks to promote cyber-security and co-operation. The problem is that despite these efforts, many countries conclude that global privacy protections in cyberspace are still immature [6]. Therefore, while better cyber security and privacy features are possible, they have not yet been achieved.


Additionally, the information involved in health mobile apps is extremely sensitive. For instance, Breathe gives users (i.e. anyone who has log in information or has deployed malware to gain access) information about the patient's symptoms, the triggers that cause those symptoms, the patient's past and current medications, and the locations that the patient has been to every time they do a self assessment. The consequences of leaked health information can be severe. Some medical conditions, such as AIDS, are stigmatized in society [7]. Also, unauthorized access to this information will likely increase the probability of identity theft [8].



It is true that many traditional medical products are problematic as they can be complicated to use and do not provide users with easy access to their own health data. However, I remain unconvinced that health mobile apps and internet platforms are the best replacements for these products, at least for now. We still remain in an era where cyber security is fragile and medical information is extremely sensitive.


Sabrina Ding is an IPilogue Editor and a J.D. Candidate at Osgoode Hall Law School. 


[1]  Dr. Joe Cafazzo, "Finding Empathy: Navigating Past The Dark Side Of Health Technology Design" (Health Innovation Design Lecture delivered at the Richmond Hill Centre for Performing Arts, 19 June 2014), [unpublished].

[2] US, Food and Drug Administration, Draft Guidance for Industry and Food and Drug Administration Staff - Applying Human Factors and Usability Engineering to Optimize Medical Device Design, (2011) at ss. 1, 11.

[3] Personal Health Information Protection Act, SO 2004, c 11, s.54(1).

[4]  Katherine Ritchey et al, "Global Privacy and Data Security Developments" (2013) 69 Business Lawyer

[5]  Supra note 3.

[6]  Supra note 3.

[7]  Gregory Herek, "AIDS and Stigma" (1999) 42 American Behavioral Scientist

[8]  Khaled et al, "Evaluating Common De-Identification Heuristics for Personal Health Information" (2006) 8 Journal of Medical Internet Research