Citation:

Sunjhla Handa , 2026. "The Role of DevSecOps in Enhancing Digital Therapeutics Platforms for Behavioural Health", ESP Journal of Engineering & Technology Advancements  6(1): 107-123.

Abstract:

With the growing use of digital therapeutics (DTx) in behavioural health, there are serious challenges associated with regulatory compliance, data privacy and software security, particularly given sensitive patient data and the current development of global standards including HIPAA, GDPR and the Digital Personal Data Protection (DPDP) Act. The current DevOps practices, which are maximally agile delivery and scalable, do not involve any inherent mechanisms of active security enforcement and ongoing regulatory compliance. The paper presents the concept of DevSecOps, which is the expansion of DevOps that incorporates the concept of security and compliance into the software development life cycle, in advancing the safety, transparency, and reliability of behavioural health DTx platforms. It is suggested to employ a domain-specific DevSecOps, which incorporates compliance-as-code, infrastructure-as-code, validation of policy at the CI/CD steps, and runtime protection systems and auditing layers to attain ongoing compliance. The empirical evidence shows that there is a quantifiable improvement in policy drift, granularity of the audit trail, and policy resilience at runtime without affecting the development velocity. The results highlight the need to incorporate codified compliance processes within DTx infrastructure to reduce the chances of violating regulatory practices, data breach, and misconfigured software. This study brings out the groundbreaking possibilities of DevSecOps in controlled healthcare settings and offers a scalable template that developers, architects, and compliance professionals operating in the context of behavioural digital therapeutics environments apply to the implementation of secure, reliable, and regulation-compliant delivery pipelines.

References:

[1] S. Gerke, A. D. Stern, and T. Minssen, Germany’s digital health reforms in the COVID-19 era: Lessons and opportunities for other countries, npj Digital Medicine 3(1) (2020) 1–6.

[2] J. Torous, J. Lipschitz, M. Ng, and J. Firth, Dropout rates in clinical trials of smartphone apps for depressive symptoms: A systematic review and meta-analysis, Journal of Affective Disorders 263 (2020) 413–419.

[3] Multidisciplinary research priorities for the COVID-19 pandemic: A call for action for mental health science. The Lancet Psychiatry, 7(6), 547–560.

[4] C. Moreno, T. Wykes, S. Galderisi, M. Nordentoft, N. Crossley, N. Jones, et al., How mental health care should change as a consequence of the COVID-19 pandemic, The Lancet Psychiatry 7(9) (2020) 813–824.

[5] A. Coravos, S. Khozin, and K. D. Mandl, Developing and adopting safe and effective digital biomarkers to improve patient outcomes, npj Digital Medicine 2(1) (2019) 1–5.

[6] K. Huckvale, J. Torous, and M. E. Larsen, Assessment of the data sharing and privacy practices of smartphone apps for depression and smoking cessation, JAMA Network Open 2(4) (2019) e192542.

[7] M. Ienca, and E. Vayena, On the responsible use of digital data to tackle the COVID-19 pandemic, Nature Medicine 26(4) (2020) 463–464.

[8] M. Ienca, and G. Malgieri, Mental data protection and the GDPR, Journal of Law and the Biosciences 9(1) (2022) lsac006.

[9] E. Panfilova, and E. Knauss, Challenges and solutions when adopting DevSecOps: A systematic review, Information and Software Technology 139 (2021) 106700.

[10] K. I. Mohammed, B. Shanmugam, and J. El-Den, Evolution of DevSecOps and its influence on application security: A systematic literature review, Technologies 13(12) (2025) 548.

[11] L. A. Jawad, Security and privacy in digital healthcare systems: Challenges and mitigation strategies, Abhigyan 42(1) (2024) 23–31.

[12] A. R. Lee, D. Koo, I. K. Kim, H. Kim, and J. Park, Identifying facilitators of and barriers to the adoption of dynamic consent in digital health ecosystems: A scoping review, BMC Medical Ethics 24(1) (2023) 107.

[13] X. Ramaj, M. L. Sánchez-Gordón, V. Gkioulos, S. Chockalingam, and R. Colomo-Palacios, Holding on to compliance while adopting DevSecOps: A systematic literature review, Electronics 11(22) (2022) 3707.

[14] Lattie, E. G., Adkins, E. C., Winquist, N., et al. (2019). Digital mental health interventions for depression, anxiety, and enhancement of psychological well-being among college students: Systematic review. Journal of Medical Internet Research, 21(7), e12869.

[15] Behl, A., & Behl, K. (2020). DevSecOps: A systematic mapping study. Information and Software Technology, 121, 106256.

[16] J. Firth, J. Torous, J. Nicholas, R. Carney, A. Pratap, S. Rosenbaum, and J. Sarris, The efficacy of smartphone-based mental health interventions for depressive symptoms: A meta-analysis of randomized controlled trials, World Psychiatry 16(3) (2017) 287–298.

[17] Gerke, S., Stern, A. D., & Minssen, T. (2020). Regulating digital health technologies during COVID-19. NPJ Digital Medicine, 3, 1–3.

[18] B. Inkster, C. Knibbs, and M. Bada, Cybersecurity: A critical priority for digital mental health, Frontiers in Digital Health 5 (2023) 1242264.

[19] Zhang, Y., Qiu, M., & Tsai, C.-W. (2018). Health-CPS: Healthcare cyber-physical systems security framework. IEEE Systems Journal, 12(2), 1561–1572.

[20] T. Wykes, J. Lipshitz, and S. M. Schueller, Towards the design of ethical standards related to digital mental health and all its applications, Current Treatment Options in Psychiatry 6(3) (2019) 232–242.

[21] Char, D. S., Shah, N. H., & Magnus, D. (2018). Implementing machine learning in health care — addressing ethical challenges. New England Journal of Medicine, 378, 981–983.

[22] B. Fitzgerald, and K. J. Stol, Continuous software engineering: A roadmap and agenda, Journal of Systems and Software 123 (2015) 176–189.

[23] B. Aljedaani, and M. A. Babar, Challenges with developing secure mobile health applications: Systematic review, JMIR mHealth and uHealth 9(6) (2021) e15654.

[24] Batterham, P. J., Calear, A. L., & Christensen, H. (2013). The stigma of suicide scale: Psychometric properties and correlates of the stigma of suicide. BMC Psychiatry, 13, 1–11.

[25] O. C. Edo, D. Ang, P. Billakota, F. D. Salim, and S. S. Kanhere, A zero trust architecture for health information systems, Health and Technology 14 (2024) 189–199.

[26] Gerke, S., Minssen, T., & Cohen, I. G. (2020). Ethical and legal challenges of digital health technologies. NPJ Digital Medicine, 3, 1–3.

[27] K. Rindell, J. Ruohonen, J. Holvitie, S. Hyrynsalmi, and V. Leppänen, Security in agile software development: A practitioner survey, Information and Software Technology 131 (2021) 106488.

[28] B. Fitzgerald, K. J. Stol, and R. O’Sullivan, Continuous software engineering: A roadmap and agenda, Journal of Systems and Software 123 (2020) 176–189.

[29] Appari, A., & Johnson, M. E. (2010). Information security and privacy in healthcare: Current state of research. International Journal of Internet and Enterprise Management, 6(4), 279–314.

[30] Mohr, D. C., Weingardt, K. R., Reddy, M., & Schueller, S. M. (2017). Three problems with current digital mental health research and three things we can do about them. Psychiatric Services, 68(5), 427–429.

[31] Floridi, L., et al. (2018). AI4People—An ethical framework for a good AI society. Minds and Machines, 28, 689–707.

[32] Finlayson, S. G., et al. (2019). Adversarial attacks on medical machine learning. Science, 363(6433), 1287–1289.

[33] Gasser, U., Ienca, M., Scheibner, J., Sleigh, J., & Vayena, E. (2020). Digital tools against COVID-19: Taxonomy, ethical challenges, and navigation aid. The Lancet Digital Health, 2(8), e425–e434.

[34] Price, W. N., & Cohen, I. G. (2019). Privacy in the age of medical big data. Nature Medicine, 25, 37–43.

[35] Martínez-Pérez, B., de la Torre-Díez, I., & López-Coronado, M. (2015). Privacy and security in mobile health apps: A review and recommendations. Journal of Medical Systems, 39, 181.

[36] Z. Obermeyer, B. Powers, C. Vogeli, and S. Mullainathan, Dissecting racial bias in an algorithm used to manage the health of populations, Science 366(6464) (2019) 447–453.

[37] R. Shokri, M. Stronati, C. Song, and V. Shmatikov, Membership inference attacks against machine learning models, in 2017 IEEE Symposium on Security and Privacy, IEEE, (2017) 3–18.

[38] U.S. Food and Drug Administration, Digital Health Software Precertification (Pre-Cert) Program, U.S. Food and Drug Administration, (2021).

[39] Kruse, C. S., Frederick, B., Jacobson, T., & Monticone, D. (2017). Cybersecurity in healthcare: A systematic review of modern threats and trends. Technology and Health Care, 25(1), 1–10.

[40] B. Mittelstadt, Principles alone cannot guarantee ethical AI, Nature Machine Intelligence 1(11) (2019) 501–507.

[41] M. Whittaker, The steep cost of capture: How surveillance technology contracts become weapons of injustice, AI Now Institute Report, AI Now Institute, New York, USA, (2020).

[42] Wasil, A. R., Weisz, J. R., & DeRubeis, R. J. (2020). Three questions to consider before developing a mental health app. World Psychiatry, 19(2), 252–253.

[43] Adler-Milstein, J., & Jha, A. K. (2017). HITECH Act drove large gains in hospital EHR adoption. Health Affairs, 36(8), 1416–1422.

[44] A. Ploug, and S. Holm, Meta consent: A flexible and autonomous way of obtaining informed consent for secondary research, BMJ 350 (2015) h2146.

[45] J. Kaye, E. A. Whitley, D. Lund, M. Morrison, H. Teare, and K. Melham, Dynamic consent: A patient interface for twenty-first century research networks, European Journal of Human Genetics 23(2) (2015) 141–146.

[46] F. Doshi-Velez, and B. Kim, Towards a rigorous science of interpretable machine learning, arXiv:1702.08608, (2017).

[47] Panch, T., Szolovits, P., & Atun, R. (2019). Artificial intelligence, machine learning and health systems. Journal of Global Health, 9(2), 020303.

[48] N. Eyal, Hooked: How to build habit-forming products, Penguin, New York, USA, (2014).

[49] Chen, B., Qiao, S., Liu, D., Shi, X., Lyu, M., Chen, H., et al. (2020). A security awareness and protection system for 5G smart healthcare based on zero-trust architecture. IEEE Internet of Things Journal, 8(13), 10248–10263.

[50] Vayena, E., Blasimme, A., & Cohen, I. G. (2018). Machine learning in medicine: Addressing ethical challenges. PLoS Medicine, 15(11), e1002689.

[51] Polhemus, A. M., et al. (2019). Accelerating digital health innovation in clinical trials. Clinical Pharmacology & Therapeutics, 106(3), 534–542.

[52] McLeod, A., & Dolezel, D. (2018). Cyber-analytics: Modeling factors associated with healthcare data breaches. Decision Support Systems, 108, 57–68.

[53] Teerakanok, S., Uehara, T., & Inomata, A. (2021). Migrating to zero trust architecture: Reviews and challenges. Security and Communication Networks, 2021, Article 9947347.

[54] Torous, J., Wisniewski, H., Liu, G., & Keshavan, M. (2018). Mental health mobile phone app usage, concerns, and benefits among psychiatric outpatients. JMIR Mental Health, 5(4), e11715.

[55] HashiCorp, Policy as Code with Sentinel, HashiCorp, San Francisco, USA, (2023).

[56] European Data Protection Board, Guidelines on the territorial scope of the GDPR (Article 3), European Data Protection Board, Brussels, Belgium, (2021).

[57] S. Alshammari, C. Papadopoulos, and M. K. Khan, Zero trust architecture: Survey and challenges in cloud computing environments, IEEE Access 9 (2021) 138858–138879.

[58] Microsoft, Zero Trust Deployment Guide, Microsoft Corporation, Redmond, WA, USA, (2021).

[59] Topol, E. (2019). High-performance medicine: The convergence of AI and human intelligence. Nature Medicine, 25, 44–56.

[60] Reddy, S., Allan, S., Coghlan, S., & Cooper, P. (2020). A governance model for the application of AI in healthcare. Journal of the American Medical Informatics Association, 27(3), 491–497.

[61] Li, Z., Avgeriou, P., & Liang, P. (2019). A systematic mapping study on technical debt and its management. Journal of Systems and Software, 101, 193–220.

[62] Anthes, E. (2016). Mental health: There’s an app for that. Nature, 532, 20–23.

[63] Cohen, I. G., & Mello, M. M. (2018). Big data, big tech, and protecting patient privacy. JAMA, 320(23), 2419–2420.

[64] Evans, R. S. (2016). Electronic health records: Then, now, and in the future. Yearbook of Medical Informatics, 25(S1), S48–S61.

[65] X. Yuan, P. He, Q. Zhu, and X. Li, Adversarial examples: Attacks and defenses for deep learning, IEEE Transactions on Neural Networks and Learning Systems 30(9) (2019) 2805–2824.

[66] Microsoft, DevSecOps for Health: Secure, Compliant and Scalable Cloud, Microsoft Corporation, Redmond, WA, USA, (2021).

[67] Rajkomar, A., Hardt, M., Howell, M. D., et al. (2018). Ensuring fairness in machine learning to advance health equity. Annals of Internal Medicine, 169(12), 866–872.

[68] Kerzazi, N., & Adams, B. (2016). Who’s in control? Analyzing the relationship between continuous integration and security defects. Empirical Software Engineering, 21, 1905–1933.

[69] Kwon, J., Johnson, M. E., & Ma, L. (2013). Healthcare security strategies for data protection and compliance. Journal of the American Medical Informatics Association, 20(5), 934–941.

[70] Shabani, M., Bezuidenhout, L., & Borry, P. (2014). Attitudes of research participants toward data sharing. Journal of Medical Ethics, 40(6), 1–6.

[71] Mandl, K. D., & Kohane, I. S. (2012). Escaping the EHR trap — the future of health IT. New England Journal of Medicine, 366, 2240–2242.

[72] Biggio, B., & Roli, F. (2018). Wild patterns: Ten years after the rise of adversarial machine learning. Pattern Recognition, 84, 317–331.

[73] Zhao, X., Clear, T., & Lal, R. (2024). Identifying the primary dimensions of DevSecOps: A multi-vocal literature review. Journal of Systems and Software, 214, 112063.

[74] Insel, T. R. (2017). Digital phenotyping: Technology for a new science of behavior. JAMA, 318(13), 1215–1216.

[75] Fernández, E. B., & Brazhuk, A. (2024). A critical analysis of zero trust architecture (ZTA). Computer Standards & Interfaces, 89, 103832.

[76] Jobin, A., Ienca, M., & Vayena, E. (2019). The global landscape of AI ethics guidelines. Nature Machine Intelligence, 1, 389–399.

[77] S. Rose, O. Borchert, S. Mitchell, and S. Connelly, Zero Trust Architecture, NIST Special Publication 800-207, National Institute of Standards and Technology, Gaithersburg, MD, USA, (2020).

[78] Coventry, L., & Branley, D. Cybersecurity in healthcare: A narrative review. International Journal of Medical Informatics, 113, (2018) 45–53.

[79] Svantesson, D. J. B. (2020). Article 3. Territorial scope. In C. Kuner, L. Bygrave, C. Docksey, & L. Drechsler (Eds.), The EU General Data Protection Regulation (GDPR): A Commentary (pp. 74–99).

[80] International Medical Device Regulators Forum, Software as a Medical Device (SaMD): Clinical Evaluation, International Medical Device Regulators Forum, (2021).

Keywords:

Behavioural Health, CI/CD Pipelines, Compliance-as-Code, Data Privacy, DevSecOps, Digital Therapeutics, Infrastructure-as-Code, Regulatory Compliance, Runtime Enforcement, Security Automation.