3.2.2 Product Risk Assessment and Mitigation
Nathan E Botts
/ Categories: 3.2.2 Product Risk

3.2.2 Product Risk Assessment and Mitigation

Health App Risk Management

This category deals with process steps for those who are developing a new app, or an upgrade to an app, prior to its being deployed to consumers. Degrees of risk should be assessed and mitigated according to the intended use of the app. In general, risk management should manage security, privacy, safety, and other types of risks such as potential app failure scenarios, events that could lead to undesirable outcomes, probability and severity of risk, and mitigations or resolutions. One size does not fit all. For example, if apps handle sensitive personal information or give health interpretation or advice, higher degrees of risk are involved than for apps that do not collect personal information or do not interpret or advise. If some information identified during this step should be disclosed to consumers, that is stated in the “Informing Consumers/Users” section.

Related Regulations and Standards

While mobile computing environments may introduce some specific threats not present in non-mobile computing, the principles of risk management are the same across environments, so some standards and regulations are cited, even though they are not mobile-centric. Documents (listed alphabetically below) were sources of some cMHAFF criteria for risk assessment. Other useful references on risk assessment are listed in the Appendix. While some are realm-specific, they have much material that is applicable beyond their countries. Realms are listed in parentheses, if not explicit in the title.

Implementation Guidance

While later sections in this standard include specific security and privacy controls to be applied to consumer mobile health apps, all products addressing health issues, regardless of their type, must be subjected to an overall risk analysis. This risk analysis may uncover the need for additional security controls over-and-above the conformance statements included in this document. As such, a risk analysis provides an additional layer of considerations such that conformance statements are not misused as a simple checklist in which it is assumed all security risks have been addressed if an app is in compliance with the conformance statements in this standard. For an app/product, the risk analysis should be conducted for the target environment(s) where the app will actually be used by consumers. Because of the diversity of consumers, such a risk analysis is wider ranging and more challenging than a risk analysis for the development organization’s own environment.

2984 Rate this article:
No rating
0Upvote 0Downvote
Please login or register to post comments.
All information, thought, and references provided on Health eConsultation is intended for informational and educational purposes only. Health eConsutlation currently makes no attempt at HIPAA privacy compliance. Any trade names used are information and details given for the convenience of users and do not constitute an endorsement from Health eConsultation.
Use this site at your own risk, and do not use the information to make medical or legal decisions without first seeking guidance from a medical or legal professional.
Plain and simple, ads are used to help pay for the cost of the server and resources required to serve Health eConsultation members and provide an objective resource of health information and health education. Subscribers of Health eConsultation can access the site without having to view ads.
We are passionate about the therapeutic benefits that can be derived from appropriately applied health education .
More informed patients are healthier and less costly to provide care to.
We seek to give consumers and patients a voice, because in the end we are them.
Evidence based practices is what nurtures a thriving health system.


Health eConsultation members believe that health improvement is about patient knowledge, motivation and opportunity to act in concert with healthcare professionals to improve their condition.
Our primary purpose is to build a community around unbiased Health IT education so that people are able to focus on the information they need without having to navigate the vast amount of information that is available on the web.
Health eConsultation seeks to leverage responsible, engaging and, hopefully, motivating education, and information resources. The idea is not to scrape the content of other sites, but to investigate, synthesize, and report in order to create an evidence-base founded on increased rigor and research.
Health eConsultation educational material and website information are provided primarily through free resources, although some sites mentioned might require further registration and payment for particular membership or services.
All information, thought, and references provided on Health eConsultation is intended for informational and educational purposes only. Health eConsutlation currently makes no attempt at HIPAA privacy compliance. Use this site at your own risk, and do not use the information to make medical decisions without first seeking guidance from a medical professonal.
By registering with Health eConsultation you can participate in comments, ratings, and bookmarking. You can also keep track of the time that you spend learning about certain topics for your own records or to share whith health professionals you are working with.