Policy Tag: Health Technology

Adopted by the 67th World Medical Assembly, Taipei, Taiwan, October 2016 

PREAMBLE

  • Advancements in modern information technology (IT) pave the way for improvements in healthcare delivery and help streamline physician workflow, from medical record keeping to patient care. At the same time, implementing new and more sophisticated IT infrastructure is not without its challenges and risks, including cyber-attacks and data breaches.
  • Cyber security threats are an unfortunate reality in an age of digital information and communication. Attacks on critical infrastructure and vital assets of public interest, including those used in the fields of energy, food and water supply, telecommunications, transportation and healthcare, are on the rise and pose a serious threat to the health and well-being of the general public.
  • With the proliferation of electronic medical records and billing systems, the healthcare sector is especially susceptible to cyber intrusions and has become a prime soft target for cyber criminals. Healthcare institutions and business partners, from the smallest of private practices to the largest of hospitals, are vulnerable not only to the theft, alteration and manipulation of patients’ electronic medical and financial records, but also to increasingly sophisticated system breaches that could jeopardise their ability to provide care for patients and respond to health emergencies. Especially disconcerting is the threat posed to a patient’s fundamental right to data privacy and safety. In addition, repairing the damage caused by successful cyber-attacks can entail significant costs.
  • Patient data also demands protection because it often contains sensitive personal information that can be used by criminals to access bank accounts, steal identities, or obtain prescriptions illegally. For this reason, it is worth far more on the black market than credit card information alone. Alterations to or abuse of patient data in the case of a breach can be detrimental to the health, safety and material situation of patients. In some cases, breaches can even have life-threatening consequences.
  • Current security procedures and strategies in the healthcare sector have generally not kept pace with the volume and magnitude of cyber-attacks. If not adequately protected, hospital information systems, practice management systems or control systems for medical devices can become gateways for cybercriminals. Radiology imaging software, video conferencing systems, surveillance cameras, mobile devices, printers, routers and digital video systems used for online health monitoring and remote procedures are just some of the many IT structures at risk of being compromised.
  • Despite this danger, many healthcare organisations and institutions lack the financial resources (or the will to provide them) and the administrative or technical skills and personnel required to detect and prevent cyber-attacks. They may also fail to adequately communicate the seriousness of cyber threats both internally and to patients and external business partners.

RECOMMENDATIONS

  1. The WMA recognises that cyber-attacks on healthcare systems and other critical infrastructure represent a cross-border issue and a threat to public health. It therefore calls upon governments, policy makers and operators of health and other vital infrastructure throughout the world to work with the competent authorities for cyber security in their respective countries and to collaborate internationally in order to anticipate and defend against such attacks.
  2. The WMA urges national medical associations to raise awareness among their members, health care institutions and other industry stakeholders about the threat of cyber-attacks and to support an effective, consistent healthcare IT strategy to protect sensitive medical data and to assure patient privacy and safety.
  3. The WMA underscores the heightened risk of cyber intrusions and other data breaches faced by the healthcare sector and urges medical institutions to implement and maintain comprehensive systems for preventing security breaches, including but not limited to providing training to ensure employee compliance with optimal data handling practices and to maintain security of computing devices. 
  4. In the event of a data security breach, healthcare institutions should have proven response systems in place, including but not limited to notifying and offering protection services to victims and implementing processes to correct errors in medical records that result from malicious use of stolen data. Data breach insurance policies could be considered as a precautionary measure for defraying the costs associated with a potential cyber intrusion.
  5. The WMA calls upon physicians, as guardians of patient safety and data confidentiality, to remain aware of the unique challenge cyber-attacks could pose to their ability to practice their profession and to take all necessary measures that have been shown to safeguard patient data, patient safety and other vital information.
  6. The WMA recommends that undergraduate and postgraduate medical education curricula include comprehensive information on how physicians can use modern IT and electronic communications systems to full advantage, while still ensuring data protection and maintaining the highest standards of professional conduct.
  7. The WMA acknowledges that physicians and healthcare providers may not always have access to the resources (including financial), infrastructure and expertise required to establish fail-safe defence systems and stresses the need for the appropriate public as well as private bodies to support them in overcoming these limitations.

Adopted by the 66th WMA General Assembly, Moscow, Russia, October 2015
and rescinded and archived by the 73rd WMA General Assembly, Berlin, Germany, October 2022

PREAMBLE

Mobile health (mHealth) is a form of electronic health (eHealth) for which there is no fixed definition. It has been described as medical and public health practice supported by mobile devices, such as mobile phones, patient monitoring devices, personal digital assistants (PDAs), and other devices intended to be used in connection with mobile devices. It includes voice and short messaging services (SMS), applications (apps), and the use of the global positioning system (GPS).

Sufficient policies and safeguards to regulate and secure the collection, storage, protection and processing of data of mHealth users, especially health data, must be implemented. Users of mHealth services must be informed about how their personal data is collected, stored, protected and processed and their consent must be obtained prior to any disclosure of data to third parties, e.g. researchers, governments or insurance companies.

The monitoring and evaluation of mHealth should be implemented carefully to avoid inequity of access to these technologies. Where appropriate, social or healthcare services should facilitate access to mHealth technologies as part of basic benefit packages, while taking all the required precautions to guarantee data security and privacy. Access to mHealth technologies should not be denied to anyone on the basis of financial status or a lack of technical expertise.

mHealth technologies cover a wide spectrum of functions. They may be used for:

  • Health promotional (lifestyle) purposes, such as apps into which users input their calorie intake or motion sensors which track exercise.
  • Services which require the medical expertise of physicians, such as SMS services providing advice to pregnant women or wearable sensors to monitor chronic conditions such as diabetes. mHealth technologies of this nature frequently meet the definition of a medical device and should be subject to risk-based oversight and regulation with all its implications.

mHealth may also be used to expedite the transfer of information between health professionals, e.g. providing physicians with free, cross network mobile phone access in resource poor settings.

Technological developments and the increasing prevalence and affordability of mobile devices have led to an exponential increase in the number and variety of mHealth services in use in both developed and developing countries. At the same time, this relatively new and rapidly evolving sector remains largely unregulated, a fact which could have potential patient safety implications.

mHealth has the potential to supplement and further develop existing healthcare services by leveraging the increasing prevalence of mobile devices to facilitate access to healthcare, improve patient self-management, enable electronic interactions between patients and their physicians and potentially reduce healthcare costs. There are significant regional and demographic variations in the potential use and benefits of mHealth. The use of certain mHealth services may be more appropriate in some settings than others.

mHealth technologies generally involve the measurement or manual input of medical, physiological, lifestyle, activity and environmental data in order to fulfil their primary purpose. The large amount of data generated in this way also offers huge scope for research into effective healthcare delivery and disease prevention. However, this secondary use of personal data also has great potential for misuse and abuse, of which many users of mHealth services are unaware.

The expansion of mHealth services has been largely market driven and many technologies have been developed in an uncoordinated, experimental fashion and without appropriate consideration of data protection and security or patient safety aspects. It is often impossible for users to know whether the information provided via mHealth stems from a reliable medical source. Major challenges faced by the mHealth market are the quality of mHealth technologies and whether their use ultimately helps patients or physicians achieve the intended purpose.

Comprehensive regulation and evaluation of the effectiveness, quality and cost effectiveness of mHealth technologies and services is currently lacking, which has implications for patient safety. These factors are crucial to the integration of mHealth services into regular healthcare provision.

RECOMMENDATIONS

The WMA recognises the potential of mHealth to supplement traditional ways of managing health and delivering healthcare. While mHealth may offer advantages to patients otherwise unable to access services from physicians, it is not universally appropriate, nor is it always an ideal form of diagnosis and treatment option. Where face-to-face treatment is available this is almost always advantageous to the patient.

The driving force behind mHealth must be the need to eliminate deficiencies in the provision of care or to improve the quality of care.

The WMA urges patients and physicians to be extremely discerning in their use of mHealth and to be mindful of potential risks and implications.

A clear distinction must be made between mHealth technologies used for lifestyle purposes and those which require the medical expertise of physicians and meet the definition of medical devices. The latter must be appropriately regulated and users must be able to verify the source of information provided. The information provided must be clear, reliable and non-technical, and therefore comprehensible to lay people.

Concerted work must go into improving the interoperability, reliability, functionality and safety of mHealth technologies, e.g. through the development of standards and certification schemes.

Comprehensive and independent evaluations must be carried out by competent authorities with appropriate medical expertise on a regular basis in order to assess the functionality, limitations, data integrity, security and privacy of mHealth technologies. This information must be made publicly available.

mHealth can only make a positive contribution towards improvements in care if services are based on sound medical rationale. As evidence of clinical usefulness is developed, findings should be published in peer reviewed journals and be reproducible.

Suitable reimbursement models must be set up in consultation with national medical associations and healthcare providers to ensure that physicians receive appropriate reimbursement for their involvement in mHealth activities

A clear legal framework must be drawn up to address the question of identifying potential liability arising from the use of mHealth technologies.

Physicians who use mHealth technologies to deliver healthcare services should heed the ethical guidelines set out in the WMA Statement on Guiding Principles for the Use of Telehealth for the Provision of Health Care.

It is important to take into account the risks of excessive or inappropriate use of mHealth technologies and the potential psychological impact this can have on patients.