Health apps fail to protect personal data

New research casts doubt on data security and privacy of apps

Health apps: not fit for privacy?
Health apps: not fit for privacy?

Medical apps accredited by the NHS explicitly for data protection are failing to deliver on that score, according to a research paper.

The paper published in BMC Medicine, looked at 79 separate apps included on the NHS' “Health App Library,” on both Android and iOS. These apps are aimed at people trying to lose weight, reduce alcohol intake, and other health issues. The apps were evaluated over a six-month period by inputting simulated information, tracing the handling of this information, and observing at how this agreed with any related privacy policies.

Researchers found that out of the 70 apps they researched, 23 sent data over the internet without encrypting it. As well as that, 38 apps sent data over the internet despite having a policy that stated no personal information would be sent. The researchers also managed to mount a man-in-the-middle attack to record data sent by several apps over the internet.

This raises questions over the competence of the Health App Library, which looks at not only whether the app is relevant to users in England, but also whether the apps use information from trusted and verifiable sources and comply with the UK Data Protection Act. This, said the NHS on its website is to “make sure that they hold and use 01your information appropriately”.

Lead researcher Kit Huckvale, from Imperial College London, said in a statement: “Our study suggests that the privacy of users of accredited apps may have been unnecessarily put at risk, and challenges claims of trustworthiness offered by the current national accreditation scheme being run through the NHS.”

“The results of the study provide an opportunity for action to address these concerns, and minimise the risk of a future privacy breach. To help with this, we have already supplied our findings and data to the NHS Health Apps Library.”

A spokeswoman for NHS Choices told the Press Association in a statement that: “It's important that all of the apps listed on the NHS Health Apps Library meet the criteria of being clinically safe, relevant to people living in England and compliant with the Data Protection Act.”

“We were made aware of some issues with some of the featured apps and took action to either remove them or contact the developers to insist they were updated. A new, more thorough NHS endorsement model for apps has begun piloting this month."

Ollie Whitehouse, technical director at NCC Group told SCMagazineUK.com that if, as the research shows, this data is being transmitted clear-text over the Internet there is risk of interception.

“This interception might occur at a local level in an Internet café or at a higher-level in more sophisticated scenarios. Even if there is no immediate threat to our liberty and safety many would not be comfortable to know that suitably motivated threat actors, be they criminal or otherwise, could gain access to such information,” he said.

Chris Smith, vice president at Privitar, told SCMagazineUK.com that it is vital that personal data is treated with the utmost respect and security. 

“Sending unencrypted health data will do nothing to ease the fears of those who believe current standards are insufficient to protect confidential patient information. While much of the data collected by these apps is individually innocuous, criminals will often collect data from a range of sources, putting it together to create disturbingly detailed profiles. Many apps ask for a broad range of permissions and collect much more data than we might expect,” he said.

Martin Callinan, director of Source Code Control, told SCMagazineUK.com that medical data is highly sensitive and there are various clinical risk management standards, such as ISB 0129, which app developers should be adhering to.

“There should also be transparency for consumers about the governance adhered to by developers. The British Standards Institute recently published PAS 277 Health and wellness apps quality criteria to provide guidance for app developers in this area,” he said.

Paul Dignan, technical account manager at F5 Networks, told SC that where data was sent in the clear that meant that information will be readable at any point in the transit chain between client and server. “Effectively this means that the data, which is reported to include both identity and health data, could easily be captured and re-used or sold. Medical data is subject to stringent data protection act cover, so it would be interesting to understand what the policy on data transmission and leakage is with regards to that.”

Ann Sellar, business development manager at Crown Records Management, told SCMagazineUK.com that the NHS should have standard fair and reasonable terms for third-party apps which clearly state what data is shared and set requirements for data to be encrypted at rest and whilst being sent.

“Patients need to be confident the information they are sharing though an app is protected at all times and will not be compromised,” she said.

Catalin Cosoi, chief security strategist at Bitdefender, told SC that medical data could become more valuable than credit card data as it can spawn a wider range of attacks. “Also, if credit card data theft can easily be picked up on and transactions are easily halted by banks, medical data has a longer persistence and can lead to much more than simple financial theft,” he added.

He said that because medical identity theft is not quickly spotted, as opposed to credit card data theft, attackers can fraudulently issue medical bills or insurance claims. “Also, the medical information collected from these apps could be used in social engineering attacks that could ultimately lead to compromising enterprise perimeter security.”