- Mobile health security remains a key concern for the healthcare industry, as patient data must remain safe and secure from cyber attacks and maintain regulatory standards. However, the prevalence of mobile health apps and devices is making it more difficult for medical care providers to ensure patient data remains safe and protected. Mobile health security may not be as robust as hoped.
A research study published in the journal BMC Medicine shows that mHealth apps that are clinically accredited may not align with the standards set forth in data protection policies, according to a news release from BioMed Central.
For example, some users of mobile health apps actually freely sent their data through unencrypted channels, which means access to their personal and health information was put at risk of identity theft or other mobile health security concerns.
The popularity of mobile health apps continues to grow significantly throughout the world. Right now, one and a half billion smartphone users have at least one mobile health app installed on their phone and this number is expected to rise exponentially over the coming years.
Also, more doctors than ever before are recommending apps to their patients. As such, it is critical to ensure mobile health security strategies are used to keep patient data safe.
“A proper balance must be struck between innovation and caution, patient safety must be paramount,” Paul Wicks from PatientsLikeMe, a health information sharing website for patients, wrote in a commentary.
“The potential for benefit remains vast and the degree of innovation is inspiring - but it turns out we are much earlier in the maturation phase of medical apps than many of us would have liked to believe. To build the future we want, in which patients can trust their medical apps, we need to verify that they function as intended.”
There are programs available that allow for the accreditation and improvement of security features within mHealth applications. The researchers in the study looked at 79 different mHealth apps, which are all available on Android and iOS platforms. These apps covered a wide array of health and wellness aspects such as smoking cessation features, weight loss assistance, and self-care for long-term medical conditions.
The mobile health apps were analyzed over a six-month period during which fabricated patient data was inputted and the transmitted information was tracked to check for security features. The findings were then compared to associated privacy policies.
The results show that 23 of the mobile health apps actually sent patient identity data over the Internet without any encryption. Also, 70 of the apps studied transmitted data to online services. Half of the apps, 38 in total, had mobile health security and privacy policies, but these privacy policies did not explain whether personal information would be sent through these transmissions.
“Our study suggests that the privacy of users of accredited apps may have been unnecessarily put at risk, and challenges claims of trustworthiness offered by the current national accreditation scheme being run through the NHS,” lead researcher, Kit Huckvale, Imperial College London, UK, stated in the release. “It is known that apps available through general marketplaces had poor and variable privacy practices, for example, failing to disclose personal data collected and sent to a third party.”
Also, it was discovered that four of the mHealth apps sent both identifying information and personal health data without encrypting the input whatsoever. One solution from Intertek positions a new service for mobile health apps called the 6-Point Security Check, according to a company press release. This service analyzes the cybersecurity of both browser-based and mobile applications.
“A cybersecurity assessment is one of the most important tools a medical device manufacturer can employ to ensure best practices are being used with connected medical devices and mobile health apps,” Delmar Howard, Program Manager at Intertek, said in a public statement. “Working with methodologies and processes during the development period can help avoid costly vulnerabilities by exposing and mitigating potential risks early in the process, as opposed to after product launch.”