Privacy and Security
While the FDA regulations are expected to clarify a muddy situation with regard to mobile medical apps, the panelists discussing mobile device security and privacy issues found themselves confronting an equally complex dilemma: How can an institution ensure not only that the devices it uses are protected, but extend those protections to devices brought in by physicians and patients?

Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, pointed out that many privacy and security laws in place – such as HIPAA – were enacted at least a decade ago, and they "don't incorporate the challenges posed by newer technologies."

She also pointed out that providers generally aren't as concerned about privacy and security as their supervisors are.

"If you've got a security device that's hard for your providers to use, they're going to turn it off (or) get around it," she said.

Still, the risks are plenty – and expensive. John Halamka, MD, a professor of medicine at Harvard Medical School and chief information officer at Beth Israel Deaconness Medical Center, said BIDMC is just now paying the price for a physician who brought in a newly-purchased personal device that wasn't secured and left it on a desktop – where it was promptly stolen by someone passing by. The thief, a known felon, was identified and tracked down, but the device was long gone. Hospital officials are now working on a two-phased plan to make sure all devices in the institution, as well as personal devices used by employees that may contain protected health information, are properly encrypted.

"When you look at the cost of a breach, actually spending a couple hundred thousand dollars to secure personal devices is a bargain," he said.

And while considering automatic wipe enforcement, smartphone encryption enforcement and mobile device management policies, he said, one also has to take into account malware. FDA-approved medical devices can attract viruses of a decidedly non-biological nature, he said, and patching or securing them could force the device makers to seek FDA approval all over again.

Part of the problem, said David Harlow, a lawyer and principal of The Harlow Group, is the "alphabet soup" of federal agencies involved in privacy and security issues, all of them wanting to assert control.

"We're having a sort of an Al Haig moment in the evolution of regulatory control over mHealth," he said. "All of the agencies have a piece of us."

McGraw, whose organization recently released a set of best practices for securing mobile devices, said privacy and security issues often get set aside when physicians and nurses are working.

'"The primary mission of healthcare is to save people's lives," she pointed out. "We secondarily ask them to protect data, but don't give them any more resources to do it."

Halamka said healthcare institutions need to balance standards with what he called "optionality" – devising privacy and security measures that might be different for each device or set of devices, with different guidelines and standards based on how those devices are used.

"My wish is that all these agencies say, 'What is it you should be accomplishing?'" and then decide on the appropriate security standards, he said. "It's not a technology problem – it's a psychology challenge."

[See also: Obama paves way for FDA's mobile app guidelines]