Tag Archive for: mobile security

, ,

Opening the Discussion of Data Privacy in mHealth

Smartphone wiht a lock on it

Photo Credit: Technorati.com

During New America’s Mobile Disconnect talk on February 9th, Katrin Verclas, Co-Founder and Editor of MobileActive.org, brought up an interesting question about data privacy in mhealth – what is being done to protect patient data in mhealth projects in developing countries?

“If you are gathering sensitive health data over completely clear text and insecure SMS, somebody’s HIV status, sensitive information protected by HIPAA standards in this country, completely unregulated by development organizations, they don’t self-regulate. Countries certainly don’t have any privacy or data protection stipulations…If we are talking about mobile telephony and mobile phones in development, we need to talk about how we protect the data that we are gathering, the information that we are distributing…”

Data privacy is an important, yet undiscussed topic. As Katrin mentioned, an individual’s health information is extremely personal, especially because it can be used against the person to make them a social outcast. But there is little talked about how patient information is being protected, especially the structure and framework of data protection on a large scale. As mentioned in the white paper “Barrier and Gaps Affecting mHealth in Low and Middle Income Countries” by the Earth Institute at Columbia University, many mhealth studies expressed the need for data protection and some measures were taken. But further security steps need to be taken as projects scale into national programs.

First, security is a tough question to answer in any setting. In the U.S., there are strict laws that require health information to be protected (HIPAA). Corporations holding patient health information must internally regulate how this information is being stored and transmitted in order to avoid penalties (both monetary and brand loss) if data is lost or there is a security breach. Along with setting user policies to further protect this sensitive data, corporations also leverage security software to protect against internal and external data lost. This includes protection against network attacks or unprotected lost/stolen devices. In these cases, the companies not only spend money on security measures but also employ a team solely focused on security. Chief Information Security Officer is vastly becoming an important and necessary role with large enterprises.

But the reason for all these security measures is the value individuals and families put on the privacy of their health information. Similarly to people protecting information about their finances, people want to keep their personal and family health information private. With the stigma of specific diseases or the unknown of the future as testing, diagnosis, and treatment is occurring, individuals and families want to have the power to inform others when they are ready. Do individuals and families in other countries place the same value on their health information? My guess is very much so.

But, as Katrin mentioned, many of the countries using mobile phones for data transmission do not have strict data privacy laws to regulate how patient data is protected. This leads to a lack for incentive for development organizations to create their own data protection policies which includes user policies and technology solutions to protect the storage and transmission of patient information. The GSMA recently began a movement to support data privacy on mobile devices. This includes providing principles, guidelines and resources in order to tackle the new challenges of data protection on global mobile networks. The International Telecommunication Union (ITU) and infoDev have created the ICT Regulation Toolkit to provide insight and best practices for policy-makers, government regulators and the telecommunication sector to implement telecom policies. There is a section directly focused on Data Protection and Privacy Laws. While these are steps forward, they are more generally focused on the over telecom industry. There needs to be a greater focus on the mhealth sector as it continues to grow.

Some organizations have included data privacy in mhealth projects. eMOCHA, developed by Johns Hopkins Center for Clinical Global Health Education, is a program for Android smartphones that stores and transmits data. Included in the program is security on both the endpoint device (the smartphone) and the servers. The servers that store the data are encrypted to protect against internal leaks. The smartphones also utilized encryption to send messages. They also are password protected in order to prevent data access if the phone is lost or stolen. Dimagi has also used technology to protect both internal and external leaks. This includes individual logon passwords and full data encryption on handsets and full server database encryption and auditing of who has logged into the database. It would be great to hear from other mhealth developers to see what they are doing to protect data. As is the case with the open dialogue of discussing best practices implementing and scaling programs in the mhealth community, it would be beneficial to the sector to share advice on data privacy.

MobileActive has been focusing on data security lately with the release of their SaferMobile website. It has helped to open the discussion and provides knowledge and advice to activists, human rights defenders and journalists to better protect their mobile privacy in their jobs. Those in the mhealth community should piggyback on their work. The discussion of data protection has been brought up before, but it is time to have it on the forefront of developers and implementers minds working on mhealth projects in developing countries. The goal is to understand all issues of data privacy (from the regulatory, technological and social aspects) and how we can make sure to always be aware of the patient’s right to privacy. It will be interesting area to continue to follow, and I hope this at least opens the door to a more in depth discussion on the topic.

/by
,

Mobile Money Security: What is the Answer – Regulation or Technology?

M-Pesa Money Transfer

Photo Credit: Tony Karumba/AFP/Getty Images

Recently there have been more reports of digital theft within the M-Pesa mobile money transfer service. In Embu, a M-Pesa agent was tricked into sending Sh50,000 (~$600) to an unknown account.  It occurred when an individual received a message that he received an incorrect transfer and then he went to the agent in order to have the mistake corrected. Other examples include thieves posing as customers or Safaricom staff and calls or SMSs from unknown numbers informing the individual that they won a prize. With the large amount of money being transferred on a daily basis, it is easy to see why M-Pesa has been the target of fraud. From July to September in 2011, $683 million was transferred over mobile phones in Kenya.

The interesting aspect to this fraud is that mobile money is shown to be a safer alternative to traditional money transfer services. But as the number of fraud cases increases, it could start to be perceived (true or not) as an unsafe way to both transfer and store money. This could diminish adoption rates, especially at the bottom of the pyramid as they tend to be more risk adverse. Since their account totals are much lower, one fraudulent transfer could wipe out their entire account. Fraud could also cause the telecom providers to be further regulated by governments. Since they are not banks, they are not regulated under the same rules as banks. This includes the Know Your Customer (KYC) laws. After 9/11, there was a great push by the United States for banks globally to gather more information about their clients and further verify their identity. But since the mobile money services provided by telecoms (when not partnering with banks) are not classified as banking services, the telecoms are not required by law to follow the KYC laws.  As shown in the examples above, once the money had been transferred, there was no way to get it back.  The reason for this is that many mobile accounts are unregistered. Because an individual can simply purchase a SIM card at a local store, there is no way for mobile providers to track who received a fraudulent transfer. But some governments have started to require citizens to register their SIM cards. In Ghana, the National Communication Authority (NCA) has made this requirement mandatory by March 3rd. If a SIM card is unregistered by then, the account could be deactivated.  This means that roughly 7.5 million users could have their phone cut off. This is an extreme example of how to further regulate the mobile market. But is it the right answer?

Or can technology provide the answer? Further regulation is probably needed to slow down the amount of fraud, but there is a fine line between being too invasive on the end user and providing greater protection. One of the benefits of mobile money is that the lack of registration required which allows those who do not have a bank account or proper documentation to receive financial services. This is especially true of those that live in rural regions. But along with regulation, how can technology be used to solve the problem? Extra security steps can be taken to verify the validity of the transfer. But, again, it cannot be too intrusive as it could cause a decrease in usage by customers. While regulation and technology could possibly help, one of the main problems is the social knowledge of the end-user. Especially in the “You Have Won” messages, the cons are banking on the end-user lacking knowledge about these types of frauds. As shown in the articles, individuals are starting to catch on as are the authorities. The police have been trying to inform citizens that they need to avoid these messages and take extra steps to confirm the transfer. There is no clear and easy answer to solve this problem, but it must be on the front of the minds of MNOs and government regulators. Mobile money is too strong of a tool to let security issues slow the expansion of financial services to those who never had access to them before.

/by

Case Studies

Global Health: Cross-Bureau Budget Analysis

The Bureau for Global Health’s (GH’s) cross-bureau budget (CBB) allocates funds to activities that...

Read more

Economic Analysis of the Conservation & Communities Project in Madagascar

Madagascar is widely recognized as the home of some of the world’s most exceptional biodiversity...

Read more

Funding the Future: Navigating Private Finance in Education

Finance is a critical input to a country’s education system, yet partner country education systems are strained...

Read more

Contact Details

  • 1156 15th Street NW
    Suite 800
    Washington, DC 20005

  • info@integrallc.com

Quick Links

Sign up for Updates

  • This field is for validation purposes and should be left unchanged.

Copyright © 2020 Integra Government Services International LLC