The New American Foundation, a Washington think tank, waded into that debate with a pair of recent panel discussions where experts acknowledged that the security risks around health IT systems are high, and the medical profession, as a whole, has a ways to go to get its cyber house in order.
Kevin Fu, who directs the Archimedes Research Center for Medical Device Security at the University of Michigan, argues that within the medical community -- as in many other industries -- there is a broad lack of awareness about basic cybersecurity practices, often enabling garden-variety malware to infiltrate systems that house sensitive data.
All industries need better cybersecurity hygiene
"Medical professionals are not too different from every other person in the country when it comes to cybersecurity hygiene. So they're taught to wash their hands in between patient encounters, but they're not taught as well as to the cybersecurity hygiene. I'd say we have a very long way to go," Fu says. "The bar is very low right now."
The glut of health data being generated and collected by mobile devices and applications also raises some significant privacy concerns, particularly when that information is outside of the scope of HIPAA and other federal statutes governing personal information.
"I think the key risk that we have is that we will create a pool of extremely sensitive health data that is totally unregulated and that is shared broadly without our knowledge and used in ways that we do not know," says Alvaro Bedoya, executive director of the Center on Privacy and Technology at Georgetown University.
Some mobile health apps are protected by privacy law, some are not
"We tend to talk about m-health apps and devices as if they're one thing. When it comes to privacy, there's two kinds of mHealth apps and devices. There's the kind that's protected by privacy law, and there's a kind that's not," Bedoya says.
Many consumers, Bedoya argues, consider the information collected by popular fitness applications like Fitbit as benign, taking innocuous measurements of things like steps and distance walked. However, he maintains that mobile health applications as a class are becoming more sophisticated, and vacuuming up information like glucose levels, heart rate and fertility, all while operating unchecked by the statutory restrictions that apply to information collected in a medical setting.
Pooled together, those data points could provide potential indicators for conditions such as obesity or Alzheimer's. But the market for that data is fairly opaque, and Bedoya fears that health information in the hands of data brokers could be sold to businesses for dubious purposes, such as insurance companies that might deny applicants coverage or charge steeper premiums based on information collected through health apps.
"Frankly, I'm quite scared about what's happening today," Bedoya said. "We don't know what these folks do with this data."
And yet, the policy response has been lacking. Consumer privacy legislation that would set new parameters for the commercial sector hasn't seen serious consideration in recent sessions of Congress, and the near-term prospects for breaking that "legislative stasis," as Bedoya puts it, are not bright.
"There is a sad fact in commercial privacy," he says. "Nothing's happening and nothing's going to happen" in the U.S. Congress.
Privacy advocates call on FTC to pursue consumer protections from mobile device data brokers
As a privacy advocate, Bedoya is calling on state legislatures and regulators at the Federal Trade Commission, which has signaled its concerns about both mobile devices and the practices of data brokers, to take up the issue and press forward with consumer protections.
However, some officials at the federal level caution that the promise of health IT applications has always been hampered by interoperability issues, and that that challenge could only be exacerbated should states go in their own direction in passing privacy laws.
"As we try to build standards for how the healthcare system will operate with technology, if we have rules that vary from state to state, it's just monumentally harder to build a nationwide system because Texas is doing something different from California," says Lucia Savage, chief privacy officer at the Office of the National Coordinator for Health IT, a division of the Department of Health and Human Services.
Nevertheless, experts stress the importance of getting the legal and regulatory structure right. Fu makes the practical point that the adoption of health IT applications, and their potential to improve care and even save lives, could flag if consumers and providers are spooked about privacy and security issues.
"My biggest concern is what happens if patients begin to not accept medical care because of fears of cybersecurity problems," Fu said. "I think it will be a real tragedy if we are not able to give patients the confidence to accept the recommendations of their physicians and their medical teams."