Last Updated on February 11, 2023 by Tabraiz
According to a cross-sectional study released in the British Medical Journal, research has been conducted on over 20k Health apps available in Google Playstore. Surveyors found that 88% of app codes can obtain users’ data.
The analysis showed that,
|Most data collection operations involved third-party providers|
23% of user data transmissions occurred on insecure communication protocols
47% of data transfer compiled with the mobile health app’s privacy policies
As the healthcare industry switches to mobile app development to enhance patients’ care and seamless operational activities, the possible vulnerabilities and risks associated with app development have also poured in.
These apps can obtain extensive data from the users such as their diet plans, lifestyle patterns, locations, physical activity regime, etc. In order to deliver high quality, many healthcare apps make use of the embedded technology in smart devices such as cameras, sensors, and audio to collect and store personal data. etc.
In some of the mHealth apps, users are urged to provide their geo-location, phone identifier, and contact list even before they start using the app.
A Google play store seeks users’ permission while downloading the app.
|App Permission Group||Other Permissions|
|In-app purchases||Receive data from internet|
|Device and app history||View network connections|
|Cellular data settings||Full network access|
|Contacts||Prevent the device from sleeping|
|Location||Change your audio settings|
|Phone||Run at start-up|
|Photo/Media/Files||Google Play license|
|Camera||Manage access to documents|
|Wi-fi connection information|
|Bluetooth connection information|
|Wearable sensors/activity data|
|Device ID and call information|
These permissions are not limited to apps alone. Wearable devices such as FitBit, Apple Watch, Jawbone, Pebble Watch, etc. also get information about the users.
With all these, healthcare includes privacy issues regarding patients, doctors, and primary care providers. The key objective is to secure healthcare information systems and block unauthorized people from accessing medical records and sensitive data.
What are the Issues with mobile Health Apps?
- Privacy threats from telehealth involve confidentiality violations while collecting or transmitting sensitive data, and allocation of unreliable software/hardware. Communication through telehealth services falls outside the realm of HIPPA.
(HIPAA – the Health Insurance Portability and Accountability Act of 1996)
- It is possible that any healthcare device manufacturer and mobile app solution provider can share patient information with third-party commercials. Patients and providers may be highly dependent on the agreement forms which results in poor privacy protection.
- Sensitive data is kept in the insecure system logs.
- Medical and consumer device software solutions may include security breaches or might get attacked by hackers.
- Some network-enabled medical devices don’t belong to the HITECH Act’s security flaws notification regulations.
(The HITECH Act – the Health Information Technology for Economic and Clinical Health Act of 2009.)
- Privacy laws that are not included in the HIPPA, may not be implemented in mobile health apps.
- Confidential detail is sent over the Internet with insecure protocols, such as HTTP, misconfigured HTTPS, etc.
- Android app components that are meant to be private, are set as exported, making them accessible by any other app.
- Confidential data gets stored on third-party servers.
- Confidential data which are gathered through Bluetooth-enabled health devices get sniffed.
- Data gets stored without any encryption on an SD Card that is publicly accessible by any other app.
- Confidential data can be inferred by a malicious app with side channels such as network package size, sequence, timing, etc.
How to Develop mHealth Apps that Protect users’ Privacy?
#1. Search for the Compliance
There are various government entities, legal bodies, numerous laws, and policies that regulate how any medical or healthcare provider should handle confidential patient data. Such laws make sure that no misuse occurs.
There are different kinds of data that need protection such as,
|Insurance relevant information|
Patient’s social security numbers/contact details
Any other sensitive information
Most common regulation and compliance act to consider.
|HIPAA helps to safeguard confidential information, manage the way data gets shared, and limit access to patient data to unauthorized persons.|
General Data Protection Regulation (GDPR) implies a set of rules for organizations that collect and transfer user data on the internet.
HL7 (Health Level Seven) standard describes the format for the exchange of health data.
#2. Check for the right Encryption
To overcome app users’ trust issues, mHealth app providers need to encrypt confidential data. Healthcare encryption standards are one of the compelling ways to safeguard it.
The process of encryption uses algorithms that convert information written in plain text into unreadable code, known as ciphertext. Users require an encryption key to decrypt that information and turn the unreadable code into plain text. Only legitimate users can access the encryption key. So even if any misuse occurs, they won’t be able to access the encrypted data.
Encryption can help to protect,
- Files stored on Server
- Communication channel
- Potentially sensitive data
It is recommended to use SSL (Secure Socket Layer) and TLS (Transport Layer Security) to encrypt the data. It will ensure complete data privacy.
#3. Apply Authentication
By leveraging Multi-Factor Authentication (MFA), it is possible to safeguard mHeath Apps from unauthorized use.
This method provides app access to the users only when they provide evidence of their authenticity. MFA is certainly helpful when any device gets lost to prevent access to confidential data.
As the name suggests, MFA has multiple ways to validate a user identity such as,
- Voice identification
- Retinal scanning
- OTP (One Time Password)
#4. Perform Security Testing
Security tests control the deficiencies that may not be easily visible such as,
- Accidental data leakage
- Inadequate authorization and authentication
- Uncertain data storage
- Wrong session handling
These deficiencies resided in the mHealth app’s OS, app flaws, risky end-user behaviour, etc.
#5. Security from Attackers
Some attackers and hackers enter the protected systems and collect sensitive information.
Social engineers are one form of an attacker who gains access to the users’ login credentials or account details. It is called phishing.
MITM (Man-in-the-middle) attacks include third-party spying.
Along with healthcare techniques, hackers’ approaches to attack have also become more advanced. So it is crucial to safeguard mobile Health apps from hackers.
The key risks affecting data protection by mobile Health apps are the users’ insufficient app knowledge, lack of security measures to secure users’ confidential data, data shared with third-party or marketers, and no user validation before logging in to the mHealth app.
Therefore it is recommended that healthcare apps should only obtain data that is highly essential for the app to execute the required functionalities.