Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessmentReport as inadecuate




Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment - Download this document for free, or read online. Document in PDF available to download.

BMC Medicine

, 13:214

First Online: 25 September 2015Received: 18 December 2014Accepted: 07 August 2015DOI: 10.1186-s12916-015-0444-y

Cite this article as: Huckvale, K., Prieto, J.T., Tilney, M. et al. BMC Med 2015 13: 214. doi:10.1186-s12916-015-0444-y

Abstract

BackgroundPoor information privacy practices have been identified in health apps. Medical app accreditation programs offer a mechanism for assuring the quality of apps; however, little is known about their ability to control information privacy risks. We aimed to assess the extent to which already-certified apps complied with data protection principles mandated by the largest national accreditation program.

MethodsCross-sectional, systematic, 6-month assessment of 79 apps certified as clinically safe and trustworthy by the UK NHS Health Apps Library. Protocol-based testing was used to characterize personal information collection, local-device storage and information transmission. Observed information handling practices were compared against privacy policy commitments.

ResultsThe study revealed that 89 % n = 70-79 of apps transmitted information to online services. No app encrypted personal information stored locally. Furthermore, 66 % 23-35 of apps sending identifying information over the Internet did not use encryption and 20 % 7-35 did not have a privacy policy. Overall, 67 % 53-79 of apps had some form of privacy policy. No app collected or transmitted information that a policy explicitly stated it would not; however, 78 % 38-49 of information-transmitting apps with a policy did not describe the nature of personal information included in transmissions. Four apps sent both identifying and health information without encryption. Although the study was not designed to examine data handling after transmission to online services, security problems appeared to place users at risk of data theft in two cases.

ConclusionsSystematic gaps in compliance with data protection principles in accredited health apps question whether certification programs relying substantially on developer disclosures can provide a trusted resource for patients and clinicians. Accreditation programs should, as a minimum, provide consistent and reliable warnings about possible threats and, ideally, require publishers to rectify vulnerabilities before apps are released.

KeywordsSmartphone Mobile Apps Accreditation NHS Privacy Confidentiality Cross-sectional study Systematic assessment AbbreviationsAPIApplication programming interface allows one software component for example, a mobile app, to execute functions in another, for example, a cloud-based online service, without special knowledge about how the second component operates. The interface defines the functions, the parameters required to execute them and the form of any data that are returned

HTTPHypertext Transfer Protocol the scheme by which web pages and associated content are transferred between a server to a web browser

HTTPSSecure variant of HTTP

ICOInformation Commissioner’s Office

IMEIInternational Mobile Station Equipment Identity a fixed identifier assigned to mobile phones

iOSiPhone-iPad operating system

IPInternet Protocol the main scheme governing the exchange of information between computers across the Internet. An IP address is a numerical identifier assigned to individual computers used to route information

MACMedia access control address a unique fixed identifier assigned to a network interface, for example a router or mobile-device wireless card

NHSNational Health Service

PINPersonal identification number a numeric password

Electronic supplementary materialThe online version of this article doi:10.1186-s12916-015-0444-y contains supplementary material, which is available to authorized users.

Download fulltext PDF



Author: Kit Huckvale - José Tomás Prieto - Myra Tilney - Pierre-Jean Benghozi - Josip Car

Source: https://link.springer.com/







Related documents