7 steps to securing mHealth data in low-resource settings

BARCELONA — In limited-resource settings, mobile health projects face a twin challenge: Ensuring the data they collect from patients is not only easily accessible, but also secure — and they often need to manage this despite an absence of national regulation on data protection. This is part of the challenge faced by the upSCALE platform in Mozambique, one of the first mHealth programs to be rolled out nationally in a low-income country, and which aims to strengthen community health delivery in underserved areas. The platform includes phone and tablet-based apps for community health workers and their supervisors at health facilities. In essence, the apps facilitate stock management, and walk health workers through the registration, diagnosis, treatment, referral, and follow-up of patients — generating large amounts of sensitive health information along the way. While the program has the potential to revolutionize health care access across the country, it is crucial to protect patient identities and confidential information from unauthorized access and misuse — a process that starts with data collection and encompasses its storage, access and use. “We take data protection very seriously,” said Karin Källander, a senior research adviser at Malaria Consortium, one of the partners in the project. “It is critical that patients feel safe with community health workers, knowing that information will only be used to follow up on their health condition.” Patient registration includes people’s names, location, and health status for diseases such as HIV and tuberculosis. As a result, she said, a data security breach could have severe consequences — leading to social stigma, for example, or to information being misused for political purposes. “If data were misused or there was a breach, people might lose trust in the entire community-based health care system, and that would be a real disaster,” she said. Malaria Consortium and its upSCALE partner UNICEF Mozambique gave Devex the inside track on what steps they are taking to meet this challenge — and how efforts like theirs have helped edge the country toward its first legal framework on data protection. 1. Define data ownership The first step, the partners said, is to identify who owns the data, and who has the right to manage and process it. In this case, “the Ministry of Health of Mozambique is the owner of the data, meaning it decides how the information should be managed, and who can access and analyze it,” said Källander. As a temporary measure, the government has outsourced the management of the database to the NGO, but this also needs to be put in black and white. “We are finalizing a memorandum of understanding with the ministry that officially outlines our role, so that we have a legal basis for processing the data,” she said. 2. Control access to devices The next steps start in the field. Community health workers do not have to obtain informed consent from each patient because the ministry of health considers their work to be a routine health system activity. “But this does not mean that we do not have to follow ethical standards,” Källander pointed out. Health workers have their own password-protected accounts to access the upSCALE app, and are trained in the ethical aspects of data collection, explained Alexandre Boon, maternal and child health specialist at UNICEF. And the partners are planning to establish a graduation ceremony in which health workers “publicly swear” to protect patient’s data, said Källander. They are also looking into incorporating elements of data security into health worker contracts. 3. Restrict access to data Data access must be tailored to each user group, anonymized, and encrypted. In the case of the upSCALE platform, there is only one administrator — for the time being, Malaria Consortium — that has access to the overall dataset and sets strict user rights in consultation with the Ministry of Health. “For any new user to the system, we can decide which level of access to the data they should have,” meaning each group can only see certain layers of information, Källander said. “Some users can only access summary reports, while others can manage the system by adding new users, but cannot see the data.” Except for the community health workers, who can access the data of only their own patients, the administrator is the only one who can see patient-specific identifiers such as name, age, and location, and who can decide to anonymize and aggregate these data points. At the moment, location is anonymized, but partners are considering alternative scenarios in which certain users would need more specific data. “Should there be a disease outbreak — for example, a hemorrhagic fever [such as Ebola] — we would need to be able to trace it back to certain households” as part of the response plan, explained Källander. Linking the platform with their malaria elimination work in Mozambique would also entail identifying and following up on every single case. 4. Ensure secure data hosting The location of data storage is key to data protection. International guidelines favor in-country storage, but low-income countries may lack capacity to securely store large amounts of sensitive health data. United States-based software development company Dimagi currently hosts the upSCALE data in a cloud-based server and is responsible for its security. In the absence of a national eHealth or data protection framework in Mozambique, the platform adheres to the Health Insurance Portability and Accountability Act of the U.S., a set of standards aligned with EU regulations. However, UNICEF is already working with the government and Dimagi on the transition to an in-country server — a groundbreaking move for an mHealth initiative in Mozambique, according to UNICEF innovation specialist Nelson Rodrigues. “It is the first time that a partner [has presented] a tested solution to the ministry of health and [invited] it to take over data hosting,” the specialist said. The bulk of mHealth initiatives in the country have been small-scale pilots hosting data in cloud-based servers, he said. “Up until now, most programs have not been looking at in-depth integration with MOH systems, so we are pretty much on uncharted territory regarding data hosting.” Realizing the transition to a local server will require teamwork, UNICEF and the ICT department of the ministry of health are collaborating to align encryption and firewall standards, while Dimagi is preparing a technical proposal solution for data hosting by the government. That proposal comes with capacity building for ministry of health staff on server management and six months of technical support, explained Rodrigues, who expects the entire transition process to take around a year. 5. Build oversight capacity To further minimize the risk of leakages, data management plans must assign responsibility for oversight. Malaria Consortium, for example, has trained and established a data protection focal point in Mozambique to support and monitor implementation of security measures. Current security systems are mostly implemented by the NGO’s staff, but Källander said sharing knowledge and best practices on data protection with the ministry of health is “critical” for them to eventually take over data management. To this end, the NGO has developed a set of standard operating procedures, or SOPs, for data protection, that will form the base of an upcoming training for ministry of health staff. Among other aspects, the SOPs state that the ministry must be notified of any breaches within 72 hours so that appropriate action can be taken. 6. Comply with national standards — or help create them Mozambique lacks national eHealth policies or data protection laws, which might seem a major obstacle to the deployment of mobile health initiatives. However, the upSCALE partners have seen this as an opportunity to help the country create legal frameworks in tune with the digital era. For Källander, the lack of a strong regulatory environment is “not an opportunity for data misuse, as much as a chance to increase data protection standards.” Boon added that: “The National ICT Institute of Mozambique is finalizing a national policy on data protection — including data generation, hosting, and use — which is expected to be ready by June.” The pair believe the initiative has been spurred by the blooming of eHealth projects in the country, which have underscored the need to create legal frameworks on data security and privacy. In the coming months, UNICEF will facilitate two workshops to raise awareness and understanding of the policy among key stakeholders, including partners and donors in the digital health space. The U.S. President's Emergency Plan for AIDS Relief, which is hosting an “enormous” amount of data on HIV patients in the cloud, according to Boon, is one of several initiatives that will have to ensure adherence to the new framework. 7. Join forces Finally, government, NGOs, international organizations, the private sector, and even local volunteers must all come on board to ensure protection throughout the data flow. “All the measures we are working on are the result of an ongoing discussion between the upSCALE partners, because making the best product requires expertise from the various players,” said Källander. “Not many countries have this type of data for their populations —not even in the ‘global north,’” she added.