How to Map an mHealth Mobile Strategy

Electronic health records (EHR) have been transformational for medical organisations but without mobile access, are not being used to their full value.

Mobile devices offer the potential to deliver faster treatments, an improved patient experience and overall improved care quality when used in conjunction with existing EHRs as an ecosystem.

The key to building a successful mobile health application is a structured and cohesive approach based on an overall mobile strategy. Without this, the architecture and development phases can lead to disjointed systems, forcing end users to carry a number of devices to manage daily procedures. This creates too much friction to embrace the advancements.

Mobile Strategy Roadmap

The US Office of the National Coordinator for Health and Information Technology provides an outline which organisations can take to manage mobile device deployments. Broken into five stages, the outline gives a high level overview of the basic requirements for building an app -

Decide, Assess, Identify, Develop and Train.

We’ve built upon these stages to suggest organisations adopt a slightly broader six step mobile strategy roadmap specific to mhealth, covering:

Research, Security & Governance, Device Selection, Tools Identification, Development and Deployment & Training.

1. Research and UX Discovery

In general, the health service industry is already functioning in a mobile way - clinicians move from patient to patient and users have existing devices with the ability to collect constant and reliable information.

Understanding the roles and information needs of potential users is key to building a successful mhealth product. This requires steps like interviewing end users, analysing the app’s environment, storyboarding and building client personas.

Organisations can adopt a standard user-experience discovery processes using in-house or consultant user experience experts or alternatively fast tracked through tailored design sprints.

2. Security and Governance Policy Assessment

One of the biggest challenges unique to software development in the health space is the restrictions around Protected Health Information (PHI). The two major vulnerabilities for PHI exist on the application level and on the device level, each bringing their own set of risks with different solutions.

Part of your mobile strategy should consider the data used in the application, how it is collected, where it is stored, and it’s level of sensitivity. While not all of the app data may be considered sensitive under regulatory definitions, having multiple sets of data in an app can lead to sensitive health information being mapped to other, unencrypted data which can in turn, lead to vulnerabilities.

An app-centric security strategy must be outlined according to a number of different guidelines specific to the industry.


  • HIPAA - Health Insurance Portability and Accountability Act

  • EU DPD - European Union Data Protection Directive


These regulations can enforce specific ways of handling keys, the integrity of the application, its environment and the communications it can have with other devices. To ensure a comprehensive security strategy, consulting with a mobile agency who has experience in the industry is the best approach.

3. Device Selection

Choosing a platform to support the application has a number of extra restrictions due to the sensitive nature of the data collected. After the security and governance policy has been assessed, the scale of PHI being collected and requiring encrypting is known.

Healthcare organisations cannot allow employees use mobile devices without a mobility management solution. There are a few different options which can be rolled out that support a Bring Your Own Device environment (BYOD) while also complying with regulatory standards.


Mobile Device Management (MDM) is a device level security system that provides businesses with the ability to manage all applications in one system. MDM software tracks usage and access to data, allows for remote device wiping and manages VPNs. This provides a safe container within a mobile device, whether it is ‘BYOD’ or HDO-owned, to run applications that access the sensitive data.

Enterprise Mobility Management (EMM) extends upon MDM as a solution, setting up policies on the information and application levels.  EMM can be further broken down into Mobile Application Management (MAM), Mobile Information Management (MIM) and Mobile Content Management (MCM). EMM is a more complete solution, offering security at multiple layers. Every EMM solution includes an MDM component.


Virtual Mobile Infrastructure (VMI) gives the same data protection benefits which a traditional containerized approach offers, but runs the mobile OS on a remote server. The system manages security compliance on the server side, removing endpoint data storage and removing the risk of sensitive information being compromised.

3. Tool and Framework Identification

At this stage, a lot of the key points of potential friction or breach have been identified and the applications general features, security and data requirements are clear. Using this information, a tools and frameworks strategy can be developed to identify industry options that fits together into a single, secure and coherent mobile solution.

These decisions rely on the project specific details – if the application is heavy with PHI, then the entire backend should be HIPAA compliant. However, workarounds can be made when the data is carefully considered - clever uses of encryption, key handling and data manipulation could mean only part of the data would require the more robust (and generally more expensive) HIPAA/DPD compliant storage.

Again, this is something which can be explored with whoever is supporting the mobile strategy’s mapping. It is worth keeping in mind that the tools and frameworks chosen at this stage will need to be supported by the team developing the application, which leads to the next stage of the roadmap - development planning.

5. Develop

Within the mobile strategy, the decision to build in house, bring in mobile resourcing or develop with an agency is something which can be made at this point of the strategy’s roadmap.

As a company which offer design and build services along with mobile resourcing, we know that this stage is extremely important to companies. mHealth applications are generally far more complex than standard mobile apps, so they may require specialist development skills which your current development team may not have or it may not be feasible to acquire for one project.

6. Deployment & Training

Finally, a clear strategy around end user training, particularly in an enterprise solution existing in a BYOD environment, should be identified. This training strategy should highlight the different points in which PHI is collected and the responsibility the end users have to ensure it is collected efficiently.

While this stage is coupled with the Research and UX Discovery stage, upon deployment an incubated and extensive testing phase should be factored into your strategy alongside end user training.

What is the outcome of a mobile strategy?

As a business or health organisation, you can expect a number of benefits from a well formed mobile strategy.

Aside from being a roadmap for the design and development of the application, mobile strategies can be created well in advance of the development phase and can be used to acquire funding, as a means for applications to different grants or governance checks or even as a proof of concept.

Another positive outcome of a mobile strategy is engagement. Most companies understand the overwhelming benefit of adding mobile to their digital strategy and yet, many have not embraced the opportunity. Having a clear strategy and plan for the future could be a move in the right direction to convincing your organisation to finally make the move to mobile.

Building an app in the health industry, particularly B2E, is something which is undeniably challenging, but with the right strategy, can have the potential to be extremely successful and widely adopted.