Skip to main page content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Access keys NCBI Homepage MyNCBI Homepage Main Content Main Navigation
. 2015 Sep 7:13:214.
doi: 10.1186/s12916-015-0444-y.

Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment

Kit Huckvale  1 José Tomás Prieto  2 Myra Tilney  3 Pierre-Jean Benghozi  4 Josip Car  5   6
Affiliations

Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment

Kit Huckvale et al. BMC Med. .

Abstract

Background: Poor information privacy practices have been identified in health apps. Medical app accreditation programs offer a mechanism for assuring the quality of apps; however, little is known about their ability to control information privacy risks. We aimed to assess the extent to which already-certified apps complied with data protection principles mandated by the largest national accreditation program.

Methods: Cross-sectional, systematic, 6-month assessment of 79 apps certified as clinically safe and trustworthy by the UK NHS Health Apps Library. Protocol-based testing was used to characterize personal information collection, local-device storage and information transmission. Observed information handling practices were compared against privacy policy commitments.

Results: The study revealed that 89% (n = 70/79) of apps transmitted information to online services. No app encrypted personal information stored locally. Furthermore, 66% (23/35) of apps sending identifying information over the Internet did not use encryption and 20% (7/35) did not have a privacy policy. Overall, 67% (53/79) of apps had some form of privacy policy. No app collected or transmitted information that a policy explicitly stated it would not; however, 78% (38/49) of information-transmitting apps with a policy did not describe the nature of personal information included in transmissions. Four apps sent both identifying and health information without encryption. Although the study was not designed to examine data handling after transmission to online services, security problems appeared to place users at risk of data theft in two cases.

Conclusions: Systematic gaps in compliance with data protection principles in accredited health apps question whether certification programs relying substantially on developer disclosures can provide a trusted resource for patients and clinicians. Accreditation programs should, as a minimum, provide consistent and reliable warnings about possible threats and, ideally, require publishers to rectify vulnerabilities before apps are released.

PubMed Disclaimer

Figures

Fig. 1
Fig. 1
A ‘man-in-the-middle’ attack. A man-in-the-middle attack is able to intercept network traffic sent by a mobile app in a way that is invisible to users and services
See this image and copyright information in PMC

Comment in

References

    1. Klasnja P, Pratt W. Healthcare in the pocket: mapping the space of mobile-phone health interventions. J Biomed Inform. 2011;45:184–98. doi: 10.1016/j.jbi.2011.08.017. - DOI - PMC - PubMed
    1. research2guidance. Mobile health market report 2013–2017 [http://www.research2guidance.com/shop/index.php/downloadable/download/sa...]
    1. Comstock J. Survey: 32 percent of mobile device owners use fitness apps [http://mobihealthnews.com/29358/survey-32-percent-of-mobile-device-owner...]
    1. Manhattan Research. 2014 environment [http://manhattanresearch.com/Products-and-Services/Physician/Taking-the-...]
    1. Steinhubl SR, Muse ED, Topol EJ. Can mobile health technologies transform health care? JAMA. 2013;310:2395–6. doi: 10.1001/jama.2013.281078. - DOI - PubMed