Unclear and present danger: the insecurity surrounding the use of personal health data


Medical apps and the health data they produce were supposed to revolutionise the way healthcare was provided but it just hasn’t happened. Digital health consultant Marc Southern asks if we’ve opened a can of worms

health data security

‘Take a couple of apps, and I’ll see you again next week…’ A couple of years ago this headline was all I saw across the digital/tech media. With the rise in ‘app culture’ circa 2011, the promise offered by health apps was palpable. The UK government was hopeful that this would allow patients to track and monitor their health more effectively. Apps were going to solve all our health problems, ultimately taking some of the burden off the GP and aligned health services. There was even a suggestion that these could be offered free of charge. The explosion in healthcare apps led to the creation of the NHS Health Apps library – an NHS-vetted store for health apps. With more than 150,000 health apps now available, finding one that can genuinely help was a struggle – so the library was a great idea. The apps were reviewed to ensure compliance with data protection laws and clinical accuracy. The app library gained some attention, but didn’t fundamentally change the way in which apps were ‘prescribed’ by healthcare professionals. Other services, for example, Happtique, had tried this approach before and failed.

Now researchers from Imperial College London have published three studies in the BMC Medicine journal that raise serious concerns about the NHS Health Apps Library. Outside the major issues regarding the poor quality of the apps, for me, one of the biggest concerns was the chronic lack of data privacy review; 70 of 79 of the apps tested transmitted data over the internet, with 38 of those not providing any information about what data would be sent. Whether this oversight was due to a lack of understanding of the data protection legislation, or a weak approval process, it’s hard to say, but what it outlines is the lack of clarity around the use of personal health data within medtech. These findings are sure to set back health apps and how they might be able to improve healthcare.

The NHS Health Apps Library is no longer live. The criteria for reviewing apps are being reconsidered and, once that is complete, the library will go live again. This is a good example of the current gap that exists between patients’ data privacy and security. We can all see the potential value of services that use personal health data. However, we must balance this potential with laws and regulations to ensure that patients and healthcare professionals aren’t cheated out of information that they own. Whether you are creating a website, an app, a device or a piece of software, you must consider how personal health data is going to be used to the benefit of the user and your organisation.

A recent KPMG survey showed that 74 per cent of consumers would be happy to share personal health data collected from a wearable device, but only 60 per cent were comfortable for the data to be shared and stored with other entities, including healthcare providers. This clearly illustrates the ‘trust gap’ that exists. This is partially because of the way that companies go about obtaining your data.

We’ve all experienced it before. We download an app and are confronted by a terms-of-use statement that’s several pages long, filled with complicated language about what the company will or won’t do with your data. Most of the time consumers don’t read the statements and aren’t fully aware of what they are signing up to. You may say that it’s their fault, but I believe some of that fault lies with the medtech companies. If a company wants to use your data, then it needs to set out clearly how it will use that information. This is a common theme of EU-wide data protection legislation. However, according to the European Data Protection Supervisor (EDPS), it’s an area of regulation that isn’t clearly understood. With improvements in understanding comes continued trust and development.

Sharing health data… the safe way

Discover the app development and analytics platform that’s helping solve health data security and compliance dilemmas across the globe


So what is ‘good’ data security? One of the key things I look for is how clear the exchange or the transaction between the consumer and the company providing the product or service is. Some value exchanges aren’t very clear for the consumer. One example of this is Google. Google feels like a free service, but you’re paying for it through the use of your data. This is all written into the terms of use, but I doubt most Google users are clear about how exactly their data is being used. Another particularly clear illustration on the pitfalls of personal health data comes from Amgen. To gain financial assistance for one of its drugs, patients are being required to surrender the rights to their personal information, so that it’s available to the company, but also – significantly – unspecified third parties. In this instance, the privacy policy is far broader than it needs to be to achieve the purposes of the payment programme, in my opinion.

All that being said, many health-tech companies are looking for ways that they can harness personal health data so that it benefits both parties. Different forms of value can be extracted from data in three main categories:

  • Reward – this can be generated in numerous ways, but I tend to think of this as something additional that comes from a user’s input. Generally, the user’s input is active and the reward element is part of a ‘behaviour change’ programme. An example could be using a fitness tracker supplied by a health insurance company. Generate enough points, based on your activity (for example, 20 points if you walk 15,000-plus steps a day) and you can exchange them for rewards, such as a discount on gym membership or a reduction in your insurance premium.
  • Learn – numerous medtech devices are there to help the user with an activity, make something easier or to deliver a service. Interacting with these services and providing your health data can help you and a healthcare company learn more about your disease or treatment. An example of this could be using a treatment-tracking device placed on your asthma inhaler that collects data when you take a puff. This data is then aggregated alongside pollution, weather and location information to help you understand certain triggers and how they affect your disease.
  • Communicate – sometimes it can be valuable to track bodily functions that can’t be seen. For example, a patch used by a patient with IBD (inflammatory bowel disease) to determine when they are likely to have a bowel movement. If such a device can communicate this in good time, it can be extremely beneficial to users so they can find a public toilet. This device would require the secure commutation of data at the right time to ensure that the patient feels confident that the service will help.

For all of the above to work, it requires the company to be very clear and specific with its users. As the NHS has learnt through its Health Apps Library, explicit consent is what is needed. As consumers become more aware, there will be even more pressure for companies to ensure clarity in how they interact and use personal health data.

To hear another point of view, watch the interview with Dagmar Bošanská, CEO of Slovakian start-up,, at the October 2015 Websummit in Dublin.

About the author

Marc Southern is the founder and Digital Health Consultant at MediMine Ltd, and is currently developing two early-stage innovative healthcare solutions for patients. He has helped some of the world's biggest pharmaceutical and healthcare organisations understand, embrace and use digital tools to communicate with their audiences, ensuring that effective, high-quality programmes are developed in line with global regulatory requirements and specific cultural needs.

Related articles

Expert Insight

The European public-procurement opportunity: delivering value in medtech

The magic of innovation: Interview with Billy Cohn, MD

The MedTech Roadmap: a medical device’s journey from concept to market

An introduction to Beth Susanne – international pitch coach

Be first to know

Key resources


You're the expert! Write for The Engine or share your articles, papers and research

Add your content

Add your content

Keep informed

Sign up for Ignition, our regular, ideas-packed newsletter

Sign in with social media

or with a username