With GDPR looming, mHealth apps are at a critical crossroads
Updated: Aug 1, 2018
by Antimo Fiorillo, Founder & CEO at Intellegant
A revolution is upon us, as mobile technology seems poised to take off in a way long-predicted, but not yet realized. A number of factors are coming together to create the current gold rush, including:
Advances in the physical technology of our devices now allow things like face scanners or motion sensors that can be used to diagnose problems;
The ever-growing scope and sophistication of our data management and processing, which allows for innovative and powerful new ways to analyse data;
An ‘app culture’, with a massive, world-wide developer base all striving to find the next billion-dollar idea;
Consumer familiarity and trust of their devices, a key component of the public being willing to submit their sensitive and embarrassing health data; and
Companies like Apple, Google, Microsoft and Facebook seeing the potential and throwing their massive weight into the sector.
Critically, this wave of development is coming alongside a huge new focus on security and privacy, highlighted by the EU’s soon-to-be-live General Data Protection Regulation (GDPR). As we have discussed before, this regulation represents a major step forward in privacy, applies to the data of every single EU citizen, and promises massive penalties for non-compliance.
While those ‘sticks’ can reach 20 million euros or 4% of annual turnover (whichever is highest), the ‘carrots’ are even more significant. As mentioned, this is a key moment in the progression of consumer trust in their devices, and data in general. We’ve all heard of massive data breaches revealing credit card or social security numbers, and, if one of the high profile market makers allows a large-scale theft of sensitive health info, the mobile health (mHealth) market could be seriously set back and the below projections threatened. As such, security and privacy demand extreme attention, and studies show that the current slate of health apps have significant vulnerabilities and weaknesses.
Almost unlimited potential, as the entire $7 trillion global health market could be affected
Modest projections of the value of the mHealth app market suggest it could be worth north of $100 billion by 2025, and with a compound annual growth rate (CAGR) of 35-45% to get there. This is a fairly conservative analysis because it is primarily looking at existing app vectors such as Fitness and Lifestyle Management—these are important, to be sure, but likely to be the tip of the iceberg as far as total potential value. For instance, Orbis Research reported that the mHealth market was worth over $23 billion in 2017. A similar study, however, from SNS Research estimated that mHealth use in 2017 could have already reached up to $370 billion in hidden cost savings.
Projected out, and considering new developments that will affect everything from doctor’s visits, to direct diagnoses without the need of a doctor, to hospital procedures, to clinical trials, this revolution can potentially shake up trillion-dollar markets—most countries spend around 10% of GDP on health, which comes out to be around $7 trillion in 2015.
Tech behemoths to create new health frameworks for their employees, with mHealth sure to be included
The United States, of course, has unique issues (among first-world countries) with health care, as anyone familiar with its spiralling costs and uncertain legal framework (regarding changes by the Trump administration to the ACA, or Obamacare) will know. When talking markets, however, it cannot be ignored, and a joint venture between three hugely influential firms created shockwaves in late January, as Amazon, Berkshire Hathaway and JPMorgan Chase announced that they would form an independent health company for their US employees.
The exact form this will take is still vague. Legendary Berkshire Hathaway head Warren Buffett gave a recent interview in which he said they were aiming higher than simply cutting a few percentage points off costs, and that their goal was "something that other people can pick up on." What we know for sure is that this venture will initially cover around 1 million employees and have the power of Amazon’s data solutions, cloud and otherwise, behind it, with many speculating that app development and integration will be a key part of the initiative.
Just in the last few days it was announced that Apple is doing something similar, launching a program called AC Wellness that will operate two clinics in Santa Clara county for their employees. Again, details are thin, but, combined with Apple’s other programs and strengths, it’s an easy bet that mHealth apps will be part of this picture.
Other behemoth companies have a smaller ‘test pool’ for their ideas, but are farther along in deployment. A focus in a recent Economist gets into the issue. According to them, in addition to the Amazon-Berkshire-JPMorgan plan, new developments from Microsoft, Facebook, Google, and Apple are quickly coming to the deployment stage, and could re-shape the entire health landscape.
State-of-play of the mHealth landscape reveals significant weaknesses
Apple and Berkshire/JP/Amazon’s plans are exciting, but at the moment strictly limited to their employees and not yet applicable to those trillion dollar, worldwide markets. One way to have that reach is to go wide by creating a platform and utilizing the power of app developers around the world. In addition to their employee clinic plans, Apple is going this route by rolling out a major update to their devices called Health Records which seeks to allow individuals to view, manage, and share their personal records in expansive new ways.
If this takes off, it could create a revolution in users’ ability to manage their own care. The approach is particular because they are focusing on the hardware and making their devices into trusted, secure health portals, with third parties utilizing the well-established app marketplace to dramatically expand options.
As mentioned, however, this approach will typically rely on independent developers, and thus has substantial risks in that it makes security and privacy standards harder to verify. A recent academic study attempted to quantify these risks in our current situation, comprehensively analysing the security of 20 of the most popular mHealth apps on the Google Play marketplace, with worrying results. In cited studies, “researchers found that 40% of the [mHealth apps analysed] imply high risk to user’s privacy, 32% of the apps imply a medium to high risk, 28% of the apps low to medium risk whereas none of the apps was found with no risks at all.”
The primary technical causes of privacy risks in these apps included, but were not limited to, unencrypted trafﬁc, embedded advertisements and third-party analytics services. Stunningly, 63.6% of the sampled apps sent completely unencrypted data over the Internet, a seemingly basic security requirement. They note that 25% of the studied apps were found to “transmit users’ search queries over the network, but only 20% of these apps use a secure connection (HTTPS) when doing so.” The common usage of GET protocol instead of POST is also a major security flaw.
Aside from technical characteristics, significant problems were also found with GDPR compliance. Though companies have a few months to go before the regulation goes live in May, the high number of non-compliances shows the extent of the problem. Missing requirements include:
The paper gets substantially further into details, but these highlight the scope of the problem. In this key moment, as billion-dollar bets are made and anyone could potentially develop the next killer app, the industry cannot skimp on privacy and security. GDPR penalties are an obvious risk, but the far bigger one would be to ruin your company’s reputation and miss out on absolutely massive potential markets. Customers are familiar with data breaches, and will not be kind when they involve embarrassing, private health information.
 Ibid page 2
 Ibid page 7