Mobile Development with an Eye on Health Data Security
The prevalence of mobile devices and wearables and chronic diseases requiring remote patient monitoring drives the current surge of mobile healthcare applications (aka mHealth). The COVID-19 pandemic only reinforced the role of mobile-powered solutions. As a result, clinics and other stakeholders are actively integrating them, while more and more patients look for medical information and providers online, book doctor appointments and remote consultations, use drug delivery services, and more.
According to a recent ResearchAndMarkets report, the global mHealth market was worth US$51,635 million in 2020 and is predicted to grow at a CAGR of 25% until reaching $225,765 million by 2026.
If you aim at a piece of this pie, be advised: you need to pay special attention to the patients’ privacy and health data security to minimize the risk of litigation and financial penalties for your organization and customers.
This post offers tips on developing a mobile medical app that will meet healthcare security requirements and prove helpful for the customers and profitable for your company.
Let’s begin with the issue of data security in healthcare app development.
Compliance with the World’s Healthcare Data Security Regulations
The core of a secure mobile medical app is a well-aligned architecture that precludes unauthorized access and data breaches. Moreover, depending on the product’s functionality, the region where it will be used, and the data it will handle, it may have to comply with various national and international regulations and standards regarding consumers’ personal information and health data.
Your product development team should be familiar with all regulations applicable in the region where the app will be distributed. First of all, app developers need to understand what is protected health information (PHI) and what isn’t: the policies may vary from region to region. Here are a few examples:
The United States
In the USA, the Health Insurance Portability and Accountability Act (HIPAA) regulates how companies should guarantee the security of patients’ data and how it should be stored and transmitted between devices.
What is PHI in the US?
HIPAA-protected health information is made by the combination of:
1) any of the personal identifiers
2) data relating to a patient’s physical or mental health or condition or payment details for the provision of healthcare.
If a mobile healthcare solution collects, processes, stores, or transfers any PHI, the developer must ensure HIPAA compliance.
In Canada, the collection, use, and disclosure of personal data in the private sector are governed by the Personal Information Protection and Electronic Documents Act (PIPEDA). Besides health insurance and healthcare providers, even employers, MedTech companies, marketing agencies, and retailers must be PIPEDA-compliant if their operations involve consumers’ personal data.
Under PIPEDA, personal information includes information about an identifiable individual in any form, such as:
- name, ID numbers, age, income, ethnicity, or blood type;
- employee files, credit and loan records, medical records, healthcare billing information, the existence of a dispute with a merchant, and even intentions, e.g., to purchase something;
- opinions, evaluations, comments, social status, or disciplinary actions.
PIPEDA’s most critical part pertains to consumer consent. Organizations that manage an individual’s information, including health data, may only do so with their consent after that organization has detailed its purposes.
PIPEDA’s requirements are applicable in all provinces that do not have their own sustainable privacy laws yet. If you are going to create an app for Alberta, Quebec, or British Columbia, make sure to study the respective regulations of these provinces.
The European Union
In the EU, mHealth apps fall under the jurisdiction of the GDPR (meaning General Data Protection Regulation), arguably the world’s toughest privacy and security law. Its goal is to protect the personal data of all EU citizens and residents. It applies to any entity that processes such data or offers goods or services to such people, even if it is located outside the EU.
What is GDPR’s definition of ‘personal information’? It’s virtually any data that relates to a natural person who can be directly or indirectly identified. Besides obvious identifiers like the name, ID number, email address, location data, or online identifier, ‘personal information may refer to factors specific to an individual’s physical, physiological, mental, genetic, cultural, social, or economic identity. Even pseudonymous data, if it enables relatively easy identification, may be ‘personal data.’
‘Data processing’ encompasses the collection, recording, structuring, storage, modification, combination, retrieval, use, transmission, dissemination or otherwise making available, and even the restriction and destruction of data.
The GDPR generally requires that any processing of personal data should be done lawfully, fairly, and transparently. It also restricts the processing of a person’s genetic and biometric data and data revealing their racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, and sex life.
Apps should provide customers with information on why they collect their personal information and how they store and protect it. Users should be able to allow and decline the collection of certain types of data, require to delete all collected data, and get a report on which data had been collected and which was erased.
The United Kingdom
In the UK, if healthcare software processes the personal data of users or patients, it must comply with three data protection laws:
- The GDPR, which even after Brexit continues to apply subject to some adaptations;
- The Data Protection Act 2018 (DPA)
- The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), to the extent relevant.
The UK adopted the DPA to supplement the GDPR, including aspects of the regulation that are to be determined by national law and criminal offenses for obtaining, redistributing, or retaining personal data without the data controller’s consent.
PECR imposes specific requirements for
- electronic marketing, including calls, texts, and emails
- the security of public electronic communications services
- the privacy of consumers that use communications networks or services as regards directory listings, line identification services, itemized billing, and traffic and location data
It’s critical to begin medical app development by conducting proper research into all applicable national and international legislation regarding consumer privacy and health data security. The information will help the developers properly design, engineer, and distribute an app that meets all requirements.
Hiring a team with a proven track record in developing compliant mHealth products for the region in question will accelerate the app development process and reduce the risk of non-compliance. The development process itself can be divided into several steps.
Five Steps to Building a Secure Medical App
1. Decide on the goal and type of the medical app to build
It makes sense to build a product only after you’ve identified a large audience’s pain-point and when the whole team is genuinely passionate about improving or saving people’s lives. It’s not big talk: in the highly competitive mHealth marketplace, it’s not enough to be useful. An app must present added value, e.g., by solving a definitive problem or giving a healthcare provider a competitive edge.
For example, try to come up with an idea of how your app can help
- increase the accessibility and quality of healthcare services
- accelerate clinical decision-making and diagnostics, provision of care, billing, medical training, etc.
- facilitate communication between doctors, patients, insurance companies, and other stakeholders
- promote education and sharing of medical knowledge
- prevent and control the spreading of diseases
- promote the health and well-being of individuals, groups, and populations
- improve the efficiency and productivity of medical personnel
- minimize paperwork, automate organizations’ core processes, and reduce the amount of manual work and errors
- cut the expenses on hospital maintenance, payroll, etc.
- eliminate threats to the security of patients’ data
- improve a provider’s relationship with customers and increase customer satisfaction, loyalty, and engagement
Define the problem and figure out how your app will solve it. If you don’t have a unique idea inspired by your first-hand experience with actual patients, you may need to look at currently trending products.
Modern healthcare apps range from basic solutions for doctor appointment booking to sophisticated products that employ cutting-edge technology for identifying and solving complex medical issues. Still, they can be classified into three groups based on the type of users they are catering to: patients, medical personnel, and administration.
Popular types of patients’ mobile apps include, but are not limited to:
- Medication and healthcare provider information apps
- Doctor appointment booking and reminders
- Urgent care apps
- Telehealth or doctor-on-demand apps
- Patient’s well-being diaries and vital signs monitoring (blood pressure, pulse, glucometer data, etc.)
- IoT medical products
- Apps that remind patients about their medication schedule and prescription refills
- Applications for the elderly and people chronically ill with cancer, diabetes, mental issues, etc.
- Women’s health and pregnant women’s assistants
- Dieting apps
- Self-diagnosing solutions
- Apps that provide information on drugs and vaccines
- Pharmacy apps
- Apps for scheduling vaccinations
- Social networking, health forums, and portals
Popular types of mobile apps for healthcare providers:
- Electronic health records (EHR) and electronic medical records (EMR)
- Medical personnel communication tools
- Scheduling and reminder apps
- e-prescription apps
- Medicine dosage tools
- Remote patient monitoring, including the collection and analysis of blood glucose levels, heart rate, blood pressure, respiration rate, oxygen saturation levels, etc.
- IoT medical products
- Patient communication apps
- Clinical and remote diagnostic apps
- Medical referencing guides
- Medical resource apps that supply information about medicines, reviews, latest medical research, regulations, etc.
- Professional networking
- Doctors/nurses marketplace
- Medical training apps
Mobile apps for medical administration:
- EMR and EHR
- Hospital ERP (enterprise resource planning systems)
- Scheduling and reminders
- Ambulance dispatch system
- Patient check-in functionality
- Patient care
- Electronic medical billing software
- Practice management applications
- Inventory management
- Personnel training
- Doctors/nurses marketplace
Despite this wealth of options to drive inspiration from, there is still room for creative ideas to create or fill a vacant niche in the mHealth market. The potential profitability of a mHealth solution directly correlates with its ability to cater to the needs of as large an audience as possible. However, it doesn’t mean that more focused products, e.g., for people with a specific disease are not worthwhile.
It is highly recommended to run startups in the field of the founders’ expertise. If there is no relevant expertise on board yet, they need to buy it or recruit a partner with the necessary competence. The development of medical apps particularly requires industry-specific insights, so it would be helpful to engage an expert (such as a doctor, RN, or at least a medical student) and, if needed, a lawyer from the onset.
The key to success is knowing what application your audience really needs rather than what you think they want. Some argue that as soon as you have come up with a solution to a burning issue, it’s safe to proceed with building an app that needn’t have a perfect UX/UI design. Others insist on market research being mandatory or at least desirable if you want to increase your odds of hitting product-market fit fast.
2. Research your target audience and the market
Among the reasons for startup failures, the majority correlate with inadequate knowledge of the target audience or lack of attention to the users. mHealth app developers can add to these the neglect of privacy and security regulations. Thus, once you have identified the target market, start the appropriate research into relevant legislation, standards, and best practices.
Having the audience clearly outlined will help you focus on the correct specifics to meet their key mobility needs and business goals. If your customers and end-users are different groups (e.g., health organizations and their staff members, respectively), it’s essential to clarify the needs of both groups.
Analyze the target audience’s characteristics, goals, and objectives. The users’ tastes and preferences may depend on demographic and geographical factors, income, etc. Not only the visuals, but also third-party integrations, information accessibility, security methods, and other aspects may be affected. For instance, older patients prefer tablets and are less likely to use wearable technologies.
A list of top apps in the niche can be used as a reference for what people find valuable and appealing, but it’s worthwhile to get to know the potential users directly.
Ask them questions such as:
- What problem(s) are they facing every day?
- If there is an existing digital solution, how are they using it?
- What do they like and dislike about it?
- What would they want to find in a new product?
- In what environments are they going to use it?
- Do they use smartphones, tablets, smartwatches, or other wearables?
- Will they have plenty of time to interact with the app, or will a glance suffice?
- Will they have both hands free?
… and so forth.
Competitor research is equally useful. Building a copy of something that already exists is pointless. Your product should have something to set you apart from the competition while raising the bar of customer experience.
Identify your current competitors with similar apps and focus on the top performers. Start with gathering basic information like the launch date, number of users, annual revenue, average rating, etc. Study user reviews. Explore the applications’ features and user flows, business models, and marketing strategies.
Evaluate each rival’s pros and cons, including their approach to healthcare data security. The rivals’ weaknesses have to become the areas of opportunities for you. Their strengths will provide you with benchmarks. Figure out the ways to leverage those benefits, omit the shortcomings, and fill the gaps. Shortlist the basic and additional features of your app that align with that plan and formulate your product’s unique selling point.
With this list, you can plan the project timeline and estimate the development cost, or contact a mobile design and development agency that can do it for you.
3. Select the platform(s) and design an MVP
Since timing is crucial for startups, the optimal approach is to start with a minimum viable product (MVP) and build your app incrementally. The first version with a basic set of core features may lack some of the functionalities you like and polished user interfaces, but it will allow you at least to validate your idea quickly at minimum cost.
In a better scenario, you will reach customers and fill the market niche early, so that you can quickly adapt the product’s future iterations, branding, and marketing strategy to the actual market requirements, bringing you closer to achieving a product-market fit. You may add fancy features in any of the future versions of your app.
A simultaneous launch of an MVP on the iOS and Android platforms will enable you to reach the maximum number of users. However, startups often prioritize one mobile platform to speed up their time-to-market and save the budget. The choice is usually determined by the target audience’s preferences and market analysis. An app for the second platform follows if the MVP proves successful.
Native iOS and Android apps offer an enhanced user experience. However, since most mHealth apps eventually end up on both platforms, you may opt for multi-platform development from the onset. For example, Flutter and React Native facilitate the development of apps with a single shared codebase which can be deployed simultaneously across both platforms.
Some of the features that are most common in mHealth apps include:
- login with two-factor authentication
- doctor profiles
- patient profiles
- push notifications and reminders
- analytics that gathers usage metrics
After these, make sure to include in your MVP features that address the audience’s most pressing pain points, offer tangible benefits to the healthcare providers or patients, and engage users. You may also integrate innovations that will set you apart from the competitors, but always make decisions based on the end-user needs.
The design of your mHealth MVP should facilitate a quick provision of healthcare services and the input and management of large amounts of data, including sensitive information. Your UX/UI designer should make the interfaces as intuitive and suitable for each category of users as possible.
Prototyping allows you to flesh out the selected features into clickable, interactive screens that look almost identical to a real-life product. You can give a prototype to users to quickly collect real-time feedback and validate your concept or conduct A/B testing. The designers can make the necessary changes and repeat the process until you are satisfied. After the UX is finalized, the designers will create the UI of your application.
The look-and-feel of a mobile medical app should be appropriate for daily use. Always go for a simple, clean, and uncomplicated graphic design that facilitates quick comprehension and easy operation. Complicated navigation, cluttered interfaces, or inconvenient buttons can cause incorrect data entry and, as a result, errors in diagnostics or prescription calculations that may impact health outcomes.
Most healthcare apps are executed in neutral colors, but the palette may depend on the app’s purpose and target audience. For example, the app design may, and ideally should, cater to the special needs of color-blind users or people with visual, hearing, speech, motor, and cognitive impairments. All users should feel like your app makes their lives easier, so try to offer customization and personalization opportunities at least in later versions.
Unless you are building an app for a medical institution that will provide it as a free service for its employees and patients, your app has to generate revenue and become profitable in the long run. Simultaneously with selecting and designing the app features, you need to build a strategy that will allow your app to earn money for you.
4. Develop your monetization model
Having a paid app may limit your reach and downloads on the app store. However, if your research shows that your target audience is likely to pay for the solution, it’s reasonable to offer a free trial to the users before they sign up for your app.
Subscriptions present a popular and successful monetization method for mobile healthcare apps.
It is also beneficial to market a mHealth solution as a free app but offer paid access to additional premium services.
You may also rely on advertising as your source of revenue from a free app, provided that they are relevant to the app’s type and target audience and don’t interfere with the users’ tasks.
5. Build, test, and launch your mHealth application
After the project timeline, budget, platform(s), monetization methods, and all the MVP features have been approved, software architects identify the optimal technologies and services for your mHealth solution, considering all applicable regulations and health data safety requirements. Integrations with existing third-party APIs and frameworks facilitate faster development and compliance with regulations like HIPAA and HITECH Act.
If you haven’t developed mHealth products before, it may be beneficial to engage a specialized software development company right from the ideation phase to the app launch and on. They are familiar with all the best practices and technologies to ensure healthcare data security and can provide valuable insights that will help you to save much time and reduce risks, to name a few.
For example, experienced providers understand the possibilities and limitations of cloud platforms and other third-party components regarding compliance with applicable national laws. They know how to deal with multiple types of cyber-attacks, what security measures can prevent them, and more. Particularly, for keeping PHI data secure in compliance with HIPAA rules, it’s vital to provide two-factor authentication, encrypt data that travels to and from the app, use secure connections, and follow other protocols.
A medical app needs to pass through the highest quality assurance (QA) standards before publication. The earlier in the development cycle QA standards apply, the more secure code you will get.
A mHealth product development team must address multiple QA aspects:
- Data security. Security tests help identify and eliminate vulnerabilities that may exist in operating systems and services, application flaws, improper configurations, or risky end-user behavior. It is important to test how data can be created, stored, and modified on the server-side. To cover all security bases, ensure that all secure data transition principles are implemented on both server- and client-sides.
- Data privacy and confidentiality. This includes the testing of the app’s authorization and access control measures.
- Usability. This testing will help discover and fix any issues that may result in adverse user experiences or impact health outcomes.
- Performance. Performance testing is crucial for healthcare apps that have to sustain high loads and allow users to perform their tasks under any circumstances.
Apart from these, there should be testing for compliance for relevant privacy acts, how well an app is integrated with third-party services and devices, etc.
Software developers are not responsible for where and how the app will be hosted, but they can recommend safe solutions and conduct penetration testing.
Once your MVP has been thoroughly tested, it’s time to release it to the App Store or Google Play or distribute it to users on an ad hoc basis. However, mHealth app development is an ongoing process. After the first release, the team should continuously iterate the product, gradually adding new features. Based on the collected user feedback and analytics, you need to plan for further app improvements, redesign, pivot, scale, or extend to more platforms.
The system will also require maintenance to keep up with technological advancements and any future security vulnerabilities. A support team should constantly monitor critical metrics, receive alerts on resource usage and security threats, and ensure that up-to-date libraries are used to maintain security.
The Cost of Building a Secure mHealth App
The cost of developing a mobile medical app can vary significantly: it takes different skills and time budgets to build a simple pill reminder and a full-cycle medical center management platform.
The final price will depend on:
- the type of product
- the number of functionalities and their complexity
- the number of screens
- how many platforms need to be covered
- whether there is a deadline
- whether there is an existing corporate identity
- availability of ready-made technological functionalities
- the hourly rates of the mobile developers, designers, QA staff, and other specialists
The most convenient way to calculate a budget is to estimate the specialists’ working time and multiply it by the specialists’ hourly rates.
You can get an idea of how much a medical app costs to create right now, if you use our online questionnaire.
The current situation with the COVID-19 pandemic and other factors strongly indicate that mobile medical solutions will be on the rise in the years to come. Entrepreneurs who invest in medical software development can look forward to biting off a slice of a multi-million dollar pie. They just need to do it right.
For example, those who build solutions for the US or the European market need to meet the HIPAA or GDPR requirements, respectively. Patients, healthcare providers, and administrators need to be assured of security, privacy, and adherence to all governmental regulations even before downloading the app.
Only experts in mHealth app development can ensure that the app will be functional, easy to use, and secure. Moreover, such long-term and complicated development calls for a transparent partnership with an experienced healthcare app development company rather than one-time contractors.
Alternative-spaces’ teams have been building mobile and cloud healthcare apps for years; the apps’ security has always been our priority. If you are interested in making an app for patients or doctors or protecting sensitive information in your existing systems, please don’t hesitate to get in touch. Our experts can advise you on the best course of action and implement your ideas in a secure medical app and an excellent user experience.
Content created by our partner, Onix-systems.