A recent study conducted by researchers at the University of Piraeus, published in the Institute of Electrical and Electronics Engineers’ Access journal (29 January 2018), has indicated that many popular health apps have significant privacy and cybersecurity failings; many of them do not follow standard practices nor will they comply with the upcoming General Data Protection Regulation (GDPR). This means that a large number of mobile health apps are jeopardizing the privacy of millions of users.
Mobile health apps
In the last few years there has been a substantial growth in mobile health apps and the ‘connected health’ model, which aims to achieve flexible, effective and affordable healthcare services by using connected technology that offers better records management, information access and increased diagnostic capabilities. This is also known as ‘smart health’. Many healthcare professionals are shifting to mobile apps for easier communication with their patients, increased productivity and improved health management capabilities.
The study analysed a selection of 20 apps from the top 1,080 of the Medical and Health and Fitness sections of the Google Play store. To qualify for inclusion in the study, each app had to be free, in English, have at least 100,000 downloads and require users to input health or personal data that would be transmitted to a remote host. The apps generally fell into three categories: (i) health agendas and symptom managers, (ii) blood pressure or diabetes support, and (iii) pregnancy and baby growth. The researchers used a multi-step methodology on each app, highlighting common pitfalls or trends, to discover the types of data that could be accessed by external parties and how securely the data was being communicated.
Researchers identified a number of minor and major cybersecurity flaws, including a lack of encryption or strong encryption, the use of GET instead of POST request methods for sensitive data transmission, and insecure programming practices. Many apps violated data protection regulations by revealing certain sensitive health data such as photos, locations, medical symptoms, emails and passwords. Often the apps were not in compliance with GDPR requirements, including the requirement to obtain data subject consent, the right to withdraw consent, the requirements for data transfer to third countries and the right to data portability.
On a similar theme, a separate 2018 survey from Change Healthcare and the HealthCare Executive Group reported that data privacy and security concerns are pushing payers and providers to reconsider adopting mobile and digital health tools. Approximately half of the 2,000 organisations surveyed indicated that security and privacy concerns were a leading factor in why consumer adoption is not wider.
The increasingly widespread usage and momentum behind health apps has had significant positive effects on the healthcare and technology sectors. The studies, however, illustrate that the state of play of data protection and privacy in mobile health apps remains insufficient. Building adequate levels of protection into the design and functionality of health apps will not be an easy task – even more so with the introduction of GDPR – yet this is the standard that developers and their advisers will need to achieve.