Mobile Health Apps Fall Short in Protecting Data Privacy

Ken Terry

September 29, 2015

Mobile health applications accredited by the United Kingdom's National Health Service do not adequately protect the privacy of users' personal health information, according to a study published September 7 in BMC Medicine.

Although the study applies to a small subset of mobile health apps, combining the results of this research with other studies suggests the privacy problem is endemic to many other apps, Kit Huckvale, MB ChB, from the Global eHealth Unit, Imperial College London, United Kingdom, and lead author of the BMC paper, told Medscape Medical News.

Adam C. Powell, PhD, president of the Payer+Provider Syndicate in Boston, Massachusetts, and an expert on mobile health apps, told Medscape Medical News, "The results of this study do not surprise me. App review processes have tended to be performed by consumers and clinicians observing the features of an app in typical use. Very few reviewers have attempted to examine the information stored or transmitted by devices, as doing so is technically challenging."

Of 79 apps studied, Dr Huckvale and colleagues found that 70 (89%) transmitted information to online services. No app encrypted personal information stored locally on mobile devices. Two thirds of the apps that sent personal identification information over the Internet did not use encryption, and 20% of these apps did not have a privacy policy.

"Overall, 67 % (53/79) of apps had some form of privacy policy. No app collected or transmitted information that a policy explicitly stated it would not; however, 78 % (38/49) of information-transmitting apps with a policy did not describe the nature of personal information included in transmissions. Four apps sent both identifying and health information without encryption," the authors write.

The selected apps included programs designed for wellness, fitness, and chronic care management. Most collected user-generated content, and two thirds had users enter strong identifiers such as email addresses, usernames and passwords, or full names. The majority of the apps captured health-related data, and a third of them provided diaries to record health information. Almost a fifth of the programs recorded information related to alcohol, smoking, and substance abuse, and a few also asked about ethnicity, employment status, and sexuality.

Most of the apps communicated with one or more third party services, often in response to specific requests generated by users, such as searching for health information. Nearly a fifth of the applications sent information to advertisers or marketers. "No app deliberately sent strong identifiers or sensitive information to advertisers, marketing companies or other content providers," the authors write. However, some advertisers generated cookies that were stored on apps to track usage.

Most of the app data that went to marketers were deidentified, and other data just identified a user's device, noted Dr Huckvale. But that opens the possibility that users might receive targeted advertising. "We were most concerned about contextual information about health," he said. "For example, if you did a particular search about health, you'd be sent advertisements. The public might be concerned if data about their health status suddenly started popping up in targeted advertising."

Of the apps that allowed users to record information, 71% (50/70) had a privacy policy; the same was true for 70% (49/70) of apps that transmitted user-related information. Three quarters of free apps (43/58) had a disclosure compared with 43% (9/21) of paid-for apps. More Android than iOS apps had privacy policies.

"[N]early half of apps did not fully disclose that strong personal identifiers (n = 47 %, 23/49) would be transmitted and a quarter of apps (24 %, n = 12/49) sent analytics information without informing users," the authors note.

The accreditation process of the National Health Service Health Apps Library requires app vendors to uphold the principles of data protection embodied in the United Kingdom's Data Protection Act. However, the study found, the apps it examined "exhibited substantial variation in compliance with data protection principles."

Dr Huckvale speculated that some vendors might not have been aware of the data privacy rules because they came from areas outside of healthcare. In addition, he said, some firms might have encountered technical issues related to implementing privacy protections in the past, but that is no longer the case. "It's relatively easy to introduce the features."

Dr Huckvale said he is not aware of any large-scale thefts of mobile health data in the United Kingdom or the United States, but with all the hacking going on in healthcare, "There's an opportunity to make sure this doesn't happen," he added.

"We're hopeful that this paper will stimulate discussion and lead to resolution of the issue, rather than people going away from it and thinking that it can't be fixed. It definitely can be fixed. We have secure banking and things like that. We should try to sort it now before mHealth apps are more widely used," he concluded.

Dr Powell noted that reviewers of mHealth apps do not often evaluate the security and privacy of the information those apps store and transmit. "I have reason to question how repeatedly reviewers are assessing the visible characteristics of apps, such as the presence of a privacy policy," he said. "Evaluating the presence of invisible features, such as encrypted storage, is inherently more difficult, and it is likely that not all reviewers attempting to do so will do so accurately."

One of the apps included in this study was developed by Dr Huckvale and one coauthor. For this reason, assessment of this app was performed by another coauthor, who had no involvement in the development of the app, and checked by an independent third party. Another coauthor reports that he is on the Scientific Advisory Board of PsyberGuide, a nonprofit organization that reviews apps and tools for managing mental health conditions.

BMC Med. Published online September 7, 2015. Full text


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.