Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Mobile Health App Makers Still Shaky On Privacy Policies

Posted on September 16, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new study has concluded that while mobile health app developers are developing better privacy practices, these developers vary widely in how they share those policies with consumers. The research, part of a program launched in 2011 by the Future of Privacy Forum, concludes that while mHealth app makers have improved their practices, too many are still not as clear as they could be with users as to how they handle private health information.

This year’s FPF Mobile App Study notes that mHealth players are working to make privacy policies available to users before purchase or download, by posting links on the app listing page. It probably has helped that the two major mobile health app distribution sites require apps that collect personal info to have a privacy policy in place, but consumer and government pressure has played a role as well, the report said. According to FPF researchers, mHealth app makers are beginning to explain how personal data is collected, used and shared, a step privacy advocates see as the bare minimum standard.

Researchers found that this year, 76% of top overall apps on the iOS App Store and Google Play had a privacy policy, up from 68% noted in the previous iteration of the study. In contrast, only 61% of health and fitness apps surveyed this year included a link to their privacy policies in their app store listing, 10% less than among top apps cutting across all categories.  “Given that some health and fitness apps can access sensitive, physiological data collected by sensors on a mobile phone, wearable, or other device, their below-average performance is both unexpected and troubling,” the report noted.

This disquieting lack of thorough privacy protections extended even to apps collecting some of the most intimate data, the FPF report pointed out. In particular, a subset of mHealth developers aren’t doing anything much to make their policies accessible.

For example, researchers found that while 80% of apps helping women track periods and fertility across Google Play and the iOS App Store had privacy policies, just 63% of the apps had posted links to these policies. In another niche, sleep tracking apps, only 66% of even had a privacy policy in place, and just 54% of these apps linked back to the policy on their store page. (FPF terms this level of performance “dismal,” and it’s hard to disagree.)

Underlying this analysis is the unfortunate truth that there’s still no gold standard for mHealth privacy policies. This may be due more to the complexity of the still-maturing mobile health ecosystem than resistance to creating robust policies, certainly. But either way, this issue won’t go away on its own, so mHealth app developers will need to give their privacy strategy more thought.

Security Concerns Threaten Mobile Health App Deployment

Posted on January 26, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Healthcare organizations won’t get much out of deploying mobile apps if consumers won’t use them. And if consumers are afraid that their personal data will be stolen, they’ve got a reason not to use your apps. So the fact that both consumers and HIT execs are having what I’d deem a crisis of confidence over mHealth app security isn’t a good sign for the current crop of mobile health initiatives.

According to a new study by security vendor Arxan, which polled 815 consumers and 268 IT decision-makers, more than half of consumer respondents who use mobile health apps expect their health apps to be hacked in the next six months.

These concerns could have serious implications for healthcare organizations, as 76% of health app users surveyed said they would change providers if they became aware that the provider’s apps weren’t secure. And perhaps even more significantly, 80% of consumer health app users told Arxan that they’d switch to other providers if they found out that the apps that alternate provider offered were better secured. In other words, consumer perceptions of a provider’s health app security aren’t just abstract fears — they’re actually starting to impact patients’ health decision making.

Perhaps you’re telling yourself that your own apps aren’t terribly exposed. But don’t be so sure. When Arxan tested a batch of 71 popular mobile health apps for security vulnerabilities, 86% were shown to have a minimum of two OWASP Mobile Top 10 Risks. The researchers found that vulnerable apps could be tampered with and reverse-engineered, as well as compromised to provide sensitive health information. Easily-done hacks could also force critical health apps to malfunction, Arxan researchers concluded.

The following data also concerned me. Of the apps tested, 19 had been approved by the FDA and 15 by the UK National Health Service. And at least where the FDA is concerned, my assumption would be that FDA-tested apps were more secure than non-approved ones. But Arxan’s research team found that both FDA and National Health Service-blessed apps were among the most vulnerable of all the apps studied.

In truth, I’m not incredibly surprised that health IT leaders have some work to do in securing mobile health apps. After all, mobile health app security is evolving, as the form and function of mHealth apps evolve. In particular, as I’ve noted elsewhere, mobile health apps are becoming more tightly integrated with enterprise infrastructure, which takes the need for thoughtful security precautions to a new level.

But guidelines for mobile health security are emerging. For example, in the summer of last year, the National Institute of Standards and Technology released a draft of its mobile health cybersecurity guidance, “Securing Electronic Records on Mobile Devices” — complete with detailed architecture. Also, I’d wager that more mHealth standards should emerge this year too.

In the mean time, it’s worth remembering that patients are paying close attention to health apps security, and that they’re unlikely to give your organization a pass if they’re hacked. While security has always been a high-stakes issue, the stakes have gotten even higher.