Recently, the Federal Trade Commission (FTC) partnered with HHS’ Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC), along with the Food and Drug Administration (FDA), to release a web-based, interactive tool to help mobile health app developers understand how federal laws might apply to their apps. This cross-agency effort is intended to be responsive to the questions of app developers as to how regulatory oversight will operate in this area. In parallel, on April 5, the FTC released best practices to consider in building privacy and security into a mobile health app. Among other things, the FTC guidance makes the following recommendations:
-
Minimize access to data. Confirm that your app does not access information it does not need. For example, you can reduce the risk of re-identification of location data by not collecting highly specific data or opting to aggregate location data across users. If your app does not need access to consumers’ contacts, your app should not access operating systems for that information. In a recent settlement, the FTC alleged that Path, Inc., a social networking app, deceptively collected information from consumers’ mobile device address books without their knowledge.
-
Strengthen authentication requirements. Consider the use of multi-factor authentication to ensure only authorized users have access to their accounts. Understand the differences between mobile operating platforms and corresponding safety features. Conduct the necessary testing to confirm that security measures are effective. Require consumers to change default passwords during set up. Indeed, these basic security practices have begun attracting regulatory attention. In a recent settlement, the FTC challenged that home router manufacturer ASUS did not require consumers to change their login criteria, even though it defaulted to an identical preset username and password.
-
Consider mobile ecosystem. Consider business practices and vulnerabilities of third-party service providers and partners. Implement contracts that clearly establish your expectations and require compliance with legal obligations. Understand the division of responsibilities for securing and updating software on the server. If you use a software tool developed by another company, ensure it conforms to your privacy promises, consumer expectations, and legal obligations.
-
Implement security by design. Think through security implications at each stage in an app’s lifecycle, including design, development, launch, and post-market. Take advantage of current security resources. Free and open source software exists that facilitates secure development, including software libraries and other toolkits, many of which have been vetted by reputable people or entities within the security community.
-
Communicate with users. Keep users informed of an app’s privacy and security features, including data collection disclosures at the point of installation and then again at the point of data collection. Consider applicable federal and state laws that apply based on the type of app or data collected.
This guidance is largely drawn from the FTC’s Start from Security: A Guide for Business. The FTC’s recent concern with health apps suggests it anticipates stepping up enforcement in this space. Indeed, the FTC has already brought enforcement actions on a number of the above items.