Is Your Information on Mobile Health Apps Safe?

Everything you want or need is at your fingertips with mobile devices today. You can buy groceries online and play music with the sound of your voice with smart speakers like Amazon’s Echo. This power has given people more control over their lives, and that control has also transferred into an area that impacts many: health. Mobile health apps have become a major development in the online world and medicine, helping patients and health providers work together to help patients watch, maintain, and improve their health and medical conditions. For instance, there are apps that can track how many calories you burn and monitor your heart rate. There are even “smart pills” that patients can swallow that administer drugs, and these pills have sensors that detect when they make contact with stomach fluid. Data from the sensor ultimately gets transferred to an app, where doctors can access that data, with the patient’s consent, to see what time the pill was taken. The benefits of these technological advances on health help patients take a proactive role in their well-being by allowing them to track vital signs and other measures of what’s happening in their bodies, but do these advances come at the cost of privacy or even crime? Here are some facts about the information collected by health apps, why you should be concerned about it, and what you can do to protect yourself.

The Findings

Unfortunately, research studies have found that many health apps in the market do nothing to guard sensitive data, share the information with third-parties, and fail to enforce or provide privacy policies.A study published in the Journal of the American Medical Association (JAMA) in 2016 identified over 250 Android diabetes apps in the Google Play App store and ended up conducting analysis on 211 of them. They found that 81% of the apps did not have privacy policies. Among the 19% that did have policies, many of them failed to protect privacy. Most of the apps actually collected user information, almost half shared that information with third-parties and/or partners, and 46.3% did not have electronic safeguards in place to protect user data.Another study released in the American Journal of Geriatric Psychology found that among 72 iPhones apps that collected user-generated data  and were found under the search terms “medical + dementia” or “health & fitness + dementia,” more than half (54%) did not have available privacy policies. Of the 33 apps that did provide policies, 42% had policies that were not specific to the application, and 24% failed to explain how individual information would be managed. Among the apps that did specify how the individual user information would be used, many lacked clarity and thorough information, shared that information was being collected for internal purposes, and detailed cases in which user information would be disclosed to third parties.Finally, a 2016 European study with participation from researchers at the University of Piraeus in Greece and the head of the Smart Health Research Group at the Department of Computer Engineering and Mathematics at Rovira i Virgili University (URV) in Spain also uncovered significant findings on health apps and privacy. In this study, research and analysis was conducted on 20 of the most popular Android health apps, with popularity being based on the number of downloads and review scores. It was discovered that half of the apps shared information such as x-ray images and multimedia data with outside parties. Half of the apps also requested and distributed passwords over non-secure connections, and some requested access to features like contact lists, Bluetooth, microphones, and cameras, even though those features were not required by the app in order to function.

Why You Should Be Concerned

Health records and information are actually more valuable than commonly stolen information like credit card numbers, especially since, unlike credit cards, health information does not “expire.” The weak and lax protective measures many health apps have been found to keep in place create vulnerabilities in a variety of ways that are alarming. For instance, the transmission of patient information over unsecured HTTP connections can create pathways for cyber thieves to steal patient data to buy medical equipment or medications to resell on black markets. Personal medical data like x-rays can also get sold to foreign nationals who are unable to pass health exams in order to obtain travel visas. Fitness apps that track footsteps like MyFitnessPal can also be used to track users and compile patterns on their whereabouts and daily routine using location data.As a matter of fact, the activity-tracking app Strava was at the center of controversy when it was found that it revealed the locations and internal layouts of Middle Eastern military bases through a heatmap feature that foreign military personnel on the bases must have opted into.Another worrying concern is that because the information collected is not considered to be “health data,” the management of this app-acquired health data is not regulated by any governing bodies like the Food and Drug Administration (FDA).

What You Can Do to Protect Your Information

The first step toward protection of your privacy from health apps is to download health apps only from trusted sources. Look up reviews and ratings on the app in the App store or online to see if the app has a track record of mismanaging users’ sensitive data. Look for red flags as well. For instance, if there is no available privacy policy, or if the policy is confusing or does not specifically reference the app, it may be better not to download that app.Another step you can take to control over your security and privacy on your health apps is to opt-out out of location tracking features or create privacy zones wherever possible. Some apps have enhanced privacy mode settings that allow you to specify locations within a specified radius, or zone, for which you do not want the app to perform any location recording or tracking.

Learn More About Data and Privacy

If you want to be informed on how digital privacy measures work and also on patient information protection under the Health Insurance Portability and Accountability Act (HIPAA), take a look at the courses that Cybrary has to offer that can provide guidance and insight into these topics.

• Organizational Data Security Fundamentals
• Protection of Information Assets
• HIPAA Training
• HIPAA Security Awareness