Worrying new research has found that most healthcare app developers share sensitive patient information with third parties, highlighting once again the security issues posed by the increased adoption of modern technology.
The research has been published in the British Medical Journal and comes after the recent discovery that Australia’s most-popular medical appointment booking app, HealthEngine, routinely shares the private medical information of hundreds of patients with personal injury law firms as part of a referral partnership contract.
Little transparency exists around third-party data sharing and health apps routinely fail to provide privacy assurances, despite collecting and transmitting multiple forms of personal and identifying information
Although the company claimed this was only done with users’ consent, these practices were not included in the privacy policy but in a separate ‘collection notice’ and there was no opportunity for users to opt out if they wished to use the application.
Now, the latest research, led by Quinn Grundy, an assistant professor with the Lawrence S. Bloomberg Faculty of Nursing at the University of Toronto and an honorary senior lecturer at the School of Pharmacy and Charles Perkins Centre at the University of Sydney, highlights major and ongoing risks.
“Mobile health apps are a booming market targeted at both patients and health professionals,” said the researchers.
“These apps claim to offer tailored and cost-effective health promotion, but they pose unprecedented risk to consumers’ privacy, given their ability to collect user data, including sensitive information.
“Health app developers routinely, and legally, share consumer data with third parties in exchange for services that enhance the user experience, such as connecting to social media, or to monetise the app, for example hosted advertisements.
“Little transparency exists around third-party data sharing and health apps routinely fail to provide privacy assurances, despite collecting and transmitting multiple forms of personal and identifying information.”
Third parties may collate data on an individual from multiple sources, the research found.
Privacy regulation should emphasise the accountabilities of those who control and process user data and developers should disclose all data-sharing practices and allow users to choose precisely what data are shared and with whom
And threats to privacy are heightened when data are aggregated across multiple sources and consumers have no way of identifying whether the apps or websites they use share their data with the same third-party providers.
Apps that provide medicines-related information and services may be particularly likely to share or sell data, given that these collect sensitive, specific medical information of high value to third parties.
For example, drug information and clinical decision support apps that target health professionals are of particular interest to pharmaceutical companies, which can offer tailored advertising and glean insights into prescribing habits.
Drug adherence apps targeting consumers can also deliver a detailed account of a patient’s health history and behaviours related to the use of medicines.
The researchers carried out the study in two phases: the first was a traffic analysis of the data sharing practices of the apps; and the second was a content and network analysis to characterise third parties and their interrelations.
And the results show that 79% of sampled apps shared user data.
Most health apps have significant vulnerabilities and the impact for healthcare organisations and health app users can be devastating
A total of 55 unique entities, owned by 46 parent companies, received or processed app user data, including developers and parent companies and service providers. 33% provided infrastructure-related services such as cloud services; and 67% provided services related to the collection and analysis of user data, including analytics or advertising, suggesting heightened privacy risks.
The researchers concluded: “Sharing of user data is routine, yet far from transparent.
“Clinicians should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent.
“Privacy regulation should emphasise the accountabilities of those who control and process user data and developers should disclose all data-sharing practices and allow users to choose precisely what data are shared and with whom.”
Following the release of the study, Mark Noctor, vice president of Arxan Technologies, told BBH that privacy and security should be a top priority when it comes to healthcare apps.
“The recent study highlights privacy issues around health applications,” he said.
“As part of this privacy issue, it is vital we also consider the security of the apps.
“With the health apps sharing data with third parties, not only is a patient’s medical history, medication details, and other personal information being shared; there is also a much higher risk of this data being leaked.
Just as prevention saves lives and reduces care costs; this same approach needs to apply to app security
“Users of mobile health apps and IT decision makers with insights into the security of mobile health apps feel their mobile apps are adequately secure. In fact, most feel that app developers are doing everything they can to protect their health apps.
“However, perception is not reality. Most health apps have significant vulnerabilities and the impact for healthcare organisations and health app users can be devastating.
“As a baseline, before apps come onto the market, medical device manufacturers and developers need to thoroughly test them to ensure they are effectively protected against cyber attacks and exploits, and equally companies who decide to share their app’s data with third parties need to be certain those third-party apps are also secure.
“The healthcare community should understand this concept better than anyone – just as prevention saves lives and reduces care costs; this same approach needs to apply to app security.”
