Lately I've been thinking about consumer focused medical devices. I am a Fitbit user and only every access the information on my cell. I do not actively share my information in their communities but I assume that Fitbit uses my information, in aggregate, to make money.
I get it, they are an for-profit company and I am receiving a ultra cheap service, Fitbit needs to make money on that service somehow.
Now that I've got the niceties out of the way the rest of this blog is angry and rant-y. In terms of full disclosure some of my anger comes from the recent kerfuffle over General Mills' plan to treat social media as a binding contract to protect itself from litigation. My fright over the new internet of things and the push for an exponential growth in apps and developers by 2020 -which BTW is not that long from now.
Anytime we expand something gets left out....and usually in software development it is security and customer privacy (see here for a good summary of where we are at with App security). We already know that many vendors do not take information privacy and governance seriously. Look at the recent Anthem disclosure...and they know they are subject to HIPAA.
The Market potential is enormous
The potential market for technologically enhanced medical devices is huge. (The market breakdown and total value are Espicom numbers. All analysis of the potential of technology to replace or enhance each category is mine. The Canadian market numbers are easily available-and could be verified, most estimates put the US market at 10-100 times the size)
I estimate at a $2 Billion dollar market in Canada based on current trends and the potential for technology to enhance the current medical devices when broken down by category. If we assume that some of the devices will collect information this puts the potential software market at $1.2B in Canada alone. The opportunity is enormous...for both commercial adventures and the rampant loss of patient privacy.
A lack of responsibility on the part of software companies
The other part comes from my attempts at conversations with a couple of consumer focused but information sharing applications. One company provides a cloud based service that allows doctors and medical students to share patient information, including pictures, with other doctors. It is a great premise BUT......what protection is there for patients? I contacted the company and basically their protections are focused on their own bottom line, the have a "policy in place that meets all legal obligations in their local jurisdictions".....THEY ONLY HAVE POLICY......they also would not disclose and had no plans to be proactive about applying any technical protections to block the sharing of patient data.
Am I the only person that has a problem with this?!? This is a product designed for medical personnel to SHARE patient information and they have no plans to protect the data!@!
As we move forward into the wearables and internet of things era, what are the obligations to these companies that hold personal information? We, as consumers, need to hold customer facing companies responsible for protecting customer information. Doctors and people within the software industry in particular should be absolutely ashamed of the state of the medical device and health app security. Both groups have actively undermined efforts to enact better regulations by complaining that it will kill the industry. Here is a note if you lose private health information- it will kill your company. Shouldn't a company that provides a service that enables the sharing of medical information as accountable? Should they be allowed to merely point to a piece of "paper" and say "not our problem?!?" If your policy says that the user must comply with hospital regulations on patient data sharing, you should provide the hospital a method to enforce policy. As a patient I need to know that the med student is not sharing pictures of my serious and potentially embarrassing problem just to have a laugh with their friends. It is the reason that Box is such a fast growing product! It gives end users what they need and it gives the business the protections it may need. In this age of PRISM and companies selling your data (see here for stats), wouldn't it be a marketing advantage to tell customers you go beyond the minimal standards that were set for a paper based age?
Here is my POV on this: If you are enabling sharing of a person's medical information-whether they are your customer or the patient of a customer's- you are obligated to protect that data from the stupidity or laziness of your users. How many busy residents are really going to take the time to ask their patients if they can share the x-ray? Especially if they can control capture and share from a personally owned device? Should I as a patient be forced to spell out the conditions under which I will allow students and doctors to share my information? Is that really a winning strategy in an age of user experience? There should be no such things as Facebook, Dropbox or Google drive for doctors! At a minimum you should provide hospitals the option of enabling controls based on their policy and not just weasel out of it by throwing your hands up and saying hey we did our job, they told us that it was alright.
No comments:
Post a Comment