'Accredited' Health Apps Send Unencrypted Personal Information, Ignore Data Protection Rules: Study
The cross-polination of health care and technology began some time ago, yet smartphone apps have only become popular within the past few years. Could some of the new health apps be endangering your privacy? Even accredited apps may not comply with safe data protection rules, with some sending unencrypted personal information online, a new study from Imperial College London finds.
Worldwide, nearly half a billion smartphone users also purchase health or wellness apps, according to market estimates. Over the next three years, some economists predict this figure will triple. A quarter of American adults report using one or more health apps, say the ICL researchers, and a third of physicians have recommended one in the past year.
Yet, "almost two-thirds of United States adults asked about the electronic exchange of medical information in clinical settings identified privacy as a salient issue,” the researchers wrote. Could apps, which provide potential health benefits, also expose users to unforeseen risks?
“To build the future we want, in which patients can trust their medical apps, we need to verify that they function as intended,” Paul Wicks, vice president of innovation at PatientsLikeMe, a health information website, stated in a commentary on the ICL research.
Wicks is not alone in his desire for verification and already steps have been taken in the direction he suggests. To reassure users about the safety of health apps, several app accreditation programs have been launched, including the United Kingdom's NHS Health Apps Library. To be registered in this library, apps undergo an appraisal process examining clinical safety and compliance with data protection laws.
Do the registered apps meet data requirements?
Led by Dr. Kit Huckvale, researchers from ICL and Ecole Polytechnique CNRS in France reviewed 79 apps listed on the NHS Health Apps Library in July 2013. The apps, which were available for iOS and Android (both or either), addressed a range of health matters, including weight loss, alcohol harm reduction, smoking cessation, and self-care related to particular diseases or therapies. The researchers assessed the apps over a six-month period by inputting fake information, tracking the handling of this data, and examining privacy policies.
The researchers discovered 70 apps transmitted information to online services and 23 of those sent identifying information over the Internet without encryption. Four apps were found to be sending both identifying and health information without encryption. While 38 apps had a privacy policy, their policies failed to state the information covered.
With two-thirds of the apps lacking a privacy policy, the researchers wrote, "in this respect, health apps, whether accredited or not, appear to be little better than non-medical apps… despite greater potential sensitivities surrounding health-related information." Many health apps, it would seem, have some distance to go before they can be considered "secure."
Source: Huckvale K, Prieto JT, Tilney M, et al. Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment. BMC Medicine. 2015.