Top

BMC Medicine

Published in:

Open Access 01-12-2015 | Research article

Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment

Authors: Kit Huckvale, José Tomás Prieto, Myra Tilney, Pierre-Jean Benghozi, Josip Car

Published in: BMC Medicine | Issue 1/2015

Abstract

Background

Poor information privacy practices have been identified in health apps. Medical app accreditation programs offer a mechanism for assuring the quality of apps; however, little is known about their ability to control information privacy risks. We aimed to assess the extent to which already-certified apps complied with data protection principles mandated by the largest national accreditation program.

Methods

Cross-sectional, systematic, 6-month assessment of 79 apps certified as clinically safe and trustworthy by the UK NHS Health Apps Library. Protocol-based testing was used to characterize personal information collection, local-device storage and information transmission. Observed information handling practices were compared against privacy policy commitments.

Results

The study revealed that 89 % (n = 70/79) of apps transmitted information to online services. No app encrypted personal information stored locally. Furthermore, 66 % (23/35) of apps sending identifying information over the Internet did not use encryption and 20 % (7/35) did not have a privacy policy. Overall, 67 % (53/79) of apps had some form of privacy policy. No app collected or transmitted information that a policy explicitly stated it would not; however, 78 % (38/49) of information-transmitting apps with a policy did not describe the nature of personal information included in transmissions. Four apps sent both identifying and health information without encryption. Although the study was not designed to examine data handling after transmission to online services, security problems appeared to place users at risk of data theft in two cases.

Conclusions

Systematic gaps in compliance with data protection principles in accredited health apps question whether certification programs relying substantially on developer disclosures can provide a trusted resource for patients and clinicians. Accreditation programs should, as a minimum, provide consistent and reliable warnings about possible threats and, ideally, require publishers to rectify vulnerabilities before apps are released.

Available only for authorised users

Klasnja P, Pratt W. Healthcare in the pocket: mapping the space of mobile-phone health interventions. J Biomed Inform. 2011;45:184–98.CrossRefPubMedPubMedCentral

research2guidance. Mobile health market report 2013–2017 [http://www.research2guidance.com/shop/index.php/downloadable/download/sample/sample_id/262/]

Comstock J. Survey: 32 percent of mobile device owners use fitness apps [http://mobihealthnews.com/29358/survey-32-percent-of-mobile-device-owners-use-fitness-apps/]

Manhattan Research. 2014 environment [http://manhattanresearch.com/Products-and-Services/Physician/Taking-the-Pulse-U-S]

Steinhubl SR, Muse ED, Topol EJ. Can mobile health technologies transform health care? JAMA. 2013;310:2395–6.CrossRefPubMed

Kotz D. A threat taxonomy for mHealth privacy. In: Third International Conference on Communication Systems and Networks (COMSNETS), 4–8 January 2011. Bangalore: COMSNETS; 2011. p. 1–6.CrossRef

Cohn SP. Privacy and confidentiality in the nationwide health information network. Washington: National Committee on Vital and Health Statistics; 2006.

Smith HJ, Dinev T, Xu H. Information privacy research: an interdisciplinary review. MIS Q. 2011;35:989–1016.

Njie L. Mobile health and fitness apps: what are the privacy risks? [https://www.privacyrights.org/mobile-health-and-fitness-apps-what-are-privacy-risks]

10.

Sunyaev A, Dehling T, Taylor PL, Mandl KD. Availability and quality of mobile health app privacy policies. J Am Med Inform Assoc. 2014;22:e28–33.PubMed

11.

Dehling T, Gao F, Schneider S, Sunyaev A. Exploring the far side of mobile health: information security and privacy of mobile health apps on iOS and Android. JMIR Mhealth Uhealth. 2015;3:e8.CrossRefPubMedPubMedCentral

12.

He D, Naveed M, Gunter CA, Nahrstedt K. Security concerns in Android mHealth Apps. In: AMIA 2014 Annual Symposium, 15–19 November 2014. Washington: AMIA Symposium; 2014.

13.

Adhikari R, Richards D. Security and privacy issues related to the use of mobile health apps. In: 25th Australasian Conference on Information Systems, 8–10 December 2014. Auckland: Australasian Conference on Information Systems; 2014.

14.

NHS Choices. Health apps library – safe and trusted apps to help you manage your health [http://apps.nhs.uk/]

15.

Agencia de Calidad Sanitaria de Andalucia. [Distintivo appsaludable] [http://www.calidadappsalud.com/]

16.

England NHS. Five year forward view. London: HM Government; 2014.

17.

Happtique I. Happtique: recommend the best apps (iOS, Android) to patients [https://www.happtique.com/]

18.

MyHealthApps.net. My health apps – tried and tested by people like you [http://myhealthapps.net/]

19.

LaRose R, Rifon N. Your privacy is assured - of being disturbed: websites with and without privacy seals. New Media & Soc. 2006;8:1009–29.CrossRef

20.

Dolan B. Happtique suspends mobile health app certification program [http://mobihealthnews.com/28165/happtique-suspends-mobile-health-app-certification-program/]

21.

Singh I. Introducing the health apps library [http://www.england.nhs.uk/2013/03/13/health-apps-blog/]

22.

NHS Health Apps Library. Review process [http://apps.nhs.uk/review-process]

23.

HM Government. Data Protection Act 1998 [http://www.legislation.gov.uk/ukpga/1998/29/contents]

24.

iFunBox Dev Team. iFunBox – app installer & file manager for iPhone, iPad and iPod Touch 2.7 [http://www.i-funbox.com/]

25.

ES APP Group. ES file explorer file manager 3.0.7.0 [https://play.google.com/store/apps/details?id=com.estrongs.android.pop]

26.

Open Web Application Security Project. Man-in-the-middle attack [https://www.owasp.org/index.php/Man-in-the-middle_attack]

27.

Cortesi A. mitmproxy: a man-in-the-middle proxy 0.9.2 [http://mitmproxy.org/]

28.

Callegati F, Cerroni W, Ramilli M. Man-in-the-middle attack to the HTTPS protocol. IEEE Secur Priv. 2009;7:78–81.CrossRef

29.

Open Web Application Security Project. Certificate and public key pinning [https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning]

30.

Information Commissioner’s Office. Privacy notices code of practice. Wilmslow: Information Commissioner’s Office; 2010.

31.

Information Commissioner’s Office. Privacy in mobile apps – guidance for app developers [http://ico.org.uk/for_organisations/data_protection/topic_guides/online/~/media/documents/library/Data_Protection/Detailed_specialist_guides/privacy-in-mobile-apps-dp-guidance.pdf]

32.

European Commission. Commission decisions on the adequacy of the protection of personal data in third countries [https://web.archive.org/web/20150628225441/http://ec.europa.eu/justice/data-protection/document/international-transfers/adequacy/index_en.htm]

33.

Open Web Application Security Project. SQL injection [https://www.owasp.org/index.php/SQL_Injection]

34.

Agencia de Calidad Sanitaria de Andalucia. [Estrategia de calidad y seguridad en aplicaciones móviles de salud – confidencialidad y privacidad] [http://www.calidadappsalud.com/recomendaciones/confidencialidad-privacidad/]

35.

Agaku IT, Adisa AO, Ayo-Yusuf OA, Connolly GN. Concern about security and privacy, and perceived control over collection and use of health information are related to withholding of health information from healthcare providers. J Am Med Inform Assoc. 2014;21:374–8.CrossRefPubMed

36.

King J. “How come I’m allowing strangers to go through my phone?” – smartphones and privacy expectations. In: Symposium on Usable Privacy and Security (SOUPS), 11–13 July 2012. Washington: SOUPS; 2012.

37.

Boyles JL, Smith A, Madden M. Privacy and data management on mobile devices [http://www.pewinternet.org/2012/09/05/privacy-and-data-management-on-mobile-devices/]

38.

Shklovski I, Mainwaring SD, Skúladóttir HH, Borgthorsson H. Leakiness and creepiness in app space: perceptions of privacy and mobile app use. In: 32nd annual ACM CHI Conference on Human Factors in Computing Systems, 26 April–1 May 2014. Toronto: ACM; 2014. p. 2347–56.

39.

Office of the Privacy Commissioner of Canada. Results of the 2014 Global Privacy Enforcement Network sweep [https://www.priv.gc.ca/media/nr-c/2014/bg_140910_e.asp]

40.

Finkle J, Chatterjee S, Maan L. EBay asks 145 million users to change passwords after cyber attack [http://www.reuters.com/article/2014/05/21/us-ebay-password-idUSBREA4K0B420140521]

41.

Harris KD. California data breach report [http://oag.ca.gov/ecrime/databreach/reporting]

42.

Ferrero-Alvarez-Rementeria J, Santana-Lopez V, Escobar-Ubreva A, Vazquez-Vazquez M. Quality and safety strategy for mobile health applications: a certification programme. Eur J ePractice. 2013.

43.

Plachkinova M, Andres S, Chatterjee S. A taxonomy of mHealth apps – security and privacy concerns. In: The 48th Hawaii International Conference on System Sciences (HICSS), 5–8 January 2015. Kauai: HICSS; 2015. p. 3187–96.CrossRef

44.

Martinez-Perez B, de la Torre-Diez I, Lopez-Coronado M. Privacy and security in mobile health apps: a review and recommendations. J Med Syst. 2014;39:181.CrossRefPubMed

45.

Weber RH. Internet of Things – new security and privacy challenges. Comput Law Secur Rev. 2010;26:23–30.CrossRef

46.

Bureau of Consumer Protection. Marketing your mobile app: get it right from the start [http://www.business.ftc.gov/documents/bus81-marketing-your-mobile-app]

47.

Federal Trade Commission. Mobile privacy disclosures – building trust through transparency. USA: Federal Trade Commission; 2013.

48.

Organisation for Economic Co-operation and Development. The OECD privacy framework 2013 [http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf]

49.

OWASP Mobile Security Project. Top ten mobile risks – final list 2014 [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks]

50.

Hall JL, McGraw D. For telehealth to succeed, privacy and security risks must be identified and addressed. Health Aff (Millwood). 2014;33:216–21.CrossRef

51.

Yang YT, Silverman RD. Mobile health applications: the patchwork of legal and liability issues suggests strategies to improve oversight. Health Aff (Millwood). 2014;33:222–7.CrossRef

52.

Federal Trade Commission. “Acne cure” mobile app marketers will drop baseless claims under FTC settlements [http://www.ftc.gov/news-events/press-releases/2011/09/acne-cure-mobile-app-marketers-will-drop-baseless-claims-under]

53.

Medicines and Healthcare Regulatory Agency. Guidance on medical device stand-alone software (including apps) [http://www.mhra.gov.uk/Howweregulate/Devices/Software/index.htm]

54.

Cortez NG, Cohen IG, Kesselheim AS. FDA regulation of mobile health technologies. N Engl J Med. 2014;371:372–9.CrossRefPubMed

55.

Takabi H, Joshi JBD, Gail-Joon A. Security and privacy challenges in cloud computing environments. IEEE Secur Priv. 2010;8:24–31.CrossRef

56.

Abbas A, Khan SU. A review on the state-of-the-art privacy-preserving approaches in the e-Health clouds. IEEE J Biomed Health Inform. 2014;18:1431–41.CrossRefPubMed

57.

Huckvale K, Car J. Implementation of mobile health tools. JAMA. 2014;311:1447–8.CrossRefPubMed

Title: Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment
Authors: Kit Huckvale
José Tomás Prieto
Myra Tilney
Pierre-Jean Benghozi
Josip Car
Publication date: 01-12-2015
Publisher: BioMed Central
Published in: BMC Medicine / Issue 1/2015
Electronic ISSN: 1741-7015
DOI: https://doi.org/10.1186/s12916-015-0444-y

2024 ASCO Annual Meeting

Springer Medicine

Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment

Abstract

Background

Methods

Results

Conclusions

2024 ASCO Annual Meeting

Springer Medicine

Abstract

Background

Methods

Results

Conclusions

Please log in to get access to this content

Other articles of this Issue 1/2015

Safe prescribing of non-steroidal anti-inflammatory drugs in patients with osteoarthritis – an expert consensus addressing benefits as well as gastrointestinal and cardiovascular risks

Chemotherapy reduces PARP1 in cancers of the ovary: implications for future clinical trials involving PARP inhibitors

Validation of the Scandinavian guidelines for initial management of minimal, mild and moderate traumatic brain injury in adults

Consumption of whole grains and cereal fiber and total and cause-specific mortality: prospective analysis of 367,442 individuals

Positive predictive value of non-invasive prenatal screening for fetal chromosome disorders using cell-free DNA in maternal serum: independent clinical experience of a tertiary referral center

Incorporating genetics into the identification and treatment of Idiopathic Pulmonary Fibrosis