Android Security Risks May Outweigh Benefits

Posted on April 26, 2013 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Not long ago, my colleague John Lynn made a compelling pitch for the Android platform, arguing that it’s likely to take over healthcare eventually given its flexibility.  That flexibility stands in sharp contrast to Apple phones and tablets, which work quite elegantly but also impose rigid requirements on app developers.

That being said, however, there’s security risks associated with Android that might outweigh its advantages. The major carriers are doing little or nothing to upgrade and patch the Android versions on the phones they sell, leaving them open to security breaches.

The Android security problem is so egregious that the American Civil Liberties Union has filed a complaint with the  Federal Trade Commission, asking the agency to investigate how AT&T, Verizon, Sprint and T-Mobile handle software updates on their phones.

In the complaint, the civil liberties group argues that the carriers have been engaging in “unfair and deceptive business practices” by failing to let customers know about well-known unpatched security flaws in the Android devices that they sell.

What makes things worse, the ACLU suggests, is that the carriers aren’t even offering consumers the option to update their phones.  Though Google has continued to fix flaws in the Android OS, these fixes aren’t being bundled and pushed out to the wireless carriers’ customers.  As the ACLU rightly notes, such behavior is unheard of in the world of desktop operating systems, where consumers regularly get updates from Apple and Microsoft.

In its complaint the ACLU argues that the carriers must either provide security updates to customers or allow them to get refunds on their devices and terminate their contracts without any penalty. It’s asking the FTC to force the carriers’ hand.

In the mean time, with healthcare requiring strict data security under HIPAA, one has to wonder whether hospitals and medical practices should be using Android devices at all (at least for their work).  Of course, clinicians who are accustomed to using their personal Android phones or tablets will be inconvenienced and probably fairly annoyed too.  But as things stand, hospital CIOs better be really careful about how they handle Android phones in the healthcare environment.