Use caution when using a mobile health app

Privacy

Given the unhealthy data collection habits of some mHealth apps, we recommend proceeding with caution when choosing who to share some of your most sensitive data with

March 19, 2024
•
,
5 minutes. Light

In today’s digital economy, there’s an app for just about everything. One sector that is booming more than others is the healthcare sector. From cycle and fertility trackers to mental health and mindfulness, mobile health (mHealth) apps are available to help with almost any condition. In fact, it is a market already experiencing double-digit growth, and expected to be worth around $861 billion by 2030.

But when you use these apps, you could be sharing some of the most sensitive data you have. In fact, the GDPR classifies medical information as “special category” data, meaning it could “create significant risks to an individual’s fundamental rights and freedoms” if disclosed. That’s why regulators require organizations to provide additional protections in this regard.

Unfortunately, not all app developers have their users’ interests at heart or always know how to protect them. They may skimp on data protection measures or may not always make it clear how much personal information they share with third parties. With that in mind, let’s take a look at the top privacy and security risks of using these apps and how you can stay safe.

What are the main privacy and security risks of healthcare apps?

The main risks of using mHealth apps fall into three categories: insufficient data security, excessive data sharing, and poorly formulated or deliberately evasive privacy policies.

1. Data security issues

These often arise from developers failing to follow cybersecurity best practice rules. They could include:

• Apps that are no longer supported or not receiving updates: Vendors may not have a vulnerability disclosure/management program or may be less interested in updating their products. Whatever the reason, if your software isn’t receiving updates, it means it may be full of vulnerabilities that attackers can exploit to steal your data.
• Insecure protocols: Apps that use insecure communication protocols can expose users to the risk of hackers intercepting their data in transit from the app to the provider’s backend or cloud servers, where it is processed.
• No multi-factor authentication (MFA): Most reputable services today offer MFA as a way to strengthen security at the login stage. Without it, hackers could get your password through phishing or a separate breach (if you reuse passwords across different apps) and log in as if they were you.
• Poor password management: For example, apps that allow users to keep factory default passwords or set insecure credentials such as “passw0rd” or “111111”. This leaves the user open to credential stuffing and other brute force attempts to breach their accounts.
• Enterprise security: App companies may also have limited security controls and processes in their data storage environment. This could include poor user awareness training, limited anti-malware and endpoint/network detection, no data encryption, limited access controls, and no vulnerability management or incident response processes in place. All of this increases the chances that they could suffer a data breach.

2. Over-sharing of data

User health information (PHI) may include highly sensitive details about sexually transmitted diseases, substance additions, or other stigmatized conditions. These may be sold or shared with third parties, including advertisers for targeted marketing and ads. Examples noted by Mozilla include mHealth providers who:

• combine user information with data purchased from data brokers, social media sites and other providers to create more complete identity profiles,
• do not allow users to request deletion of specific data,
• use inferences made about users when they answer sign-up questionnaires that ask revealing questions about sexual orientation, depression, gender identity and more,
• allow third-party session cookies that identify and track users on other websites to serve relevant ads,
• allow session recording, which monitors the user’s mouse movements, scrolling, and typing.

3. Unclear privacy policies

Some mHealth providers may not be truthful about some of the privacy practices above, using vague language or hiding their activities in the fine print in the Terms and Conditions. This can give users a false sense of security/privacy.

What the law says

• GDPR: Europe’s main data protection law is quite unambiguous regarding organizations that handle special categories of PHI. Developers must conduct privacy impact assessments, follow the principles of the right to erasure and data minimization, and take “appropriate technical measures” to ensure that “necessary safeguards” are built in to protect personal data.
• HIPAA: mHealth apps offered by commercial vendors for use by individuals are not covered by HIPAA, as the vendors are not a “covered entity” or “business associate.” However, some are and require the adoption of appropriate administrative, physical and technical safeguards, as well as an annual risk analysis.
• CCPA and CMIA: California residents have two pieces of legislation that protect their security and privacy in an mHealth context: the Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA). These require a high standard of data protection and explicit consent. However, they only apply to Californians.

Take steps to protect your privacy

Everyone will have a different risk appetite. Some will find the trade-off between personalized services/advertising and privacy what they are willing to do. Others may not care if some medical data is hacked or sold to third parties. It’s about finding the right balance. If you are concerned, consider the following:

• Do your research before downloading. See what other users are saying and if there are any red flags from trusted reviewers
• Limit what you share via these apps and assume that everything you say can be shared
• Do not link the app to your social media accounts or use them to log in. This will limit the data that can be shared with these companies
• Don’t allow apps to access your camera, location, etc. of your device.
• Limit ad tracking in your phone’s privacy settings
• Always use MFA where offered and create strong, unique passwords
• Keep the app on the latest (safest) version.

Since Roe vs. Wade was overturned, the mHealth privacy debate has taken a worrying turn. Some have raised the alarm that data from period counters could be used in legal proceedings against women seeking to terminate pregnancies. For a growing number of people looking for privacy-friendly mHealth apps, the stakes couldn’t be higher.