Dr Muhammad Ikram
Cybersecurity experts says clinicians should help make patients aware of the data privacy risks when they use smartphone health apps developed for medical and health uses.
Their report, published in the BMJ, reveals that the vast majority (88%) of medical and health apps – mHealth apps – can access and potentially share personal data with third parties.
The collection of personal data by apps is not transparent and secure, and often exceeds what is publicly disclosed by app developers , the report said. And regulatory measures are often absent or vague and difficult to enforce.
Co-lead author Dr Muhammad Ikram , a lecturer in cybersecurity at Macquarie University, NSW, told the limbic that the rapid growth in popularity of health and fitness apps has come without much scrutiny of user privacy or regulatory control.
“This is really a very nascent phase for people looking into this ecosystem and the implications for privacy. This is the very first study to analyse these applications at scale,”
“In our report we suggest that patients should be informed about the privacy practices of these applications so they can make a conscious decision about the benefits and the risks of the service being offered,” he said.
In the absence of industry controls, the report recommends that clinicians should help patients guard against privacy risks before they install and use apps that can harvest sensitive information.
“Clinicians should understand the main privacy aspects of mHealth apps in their specialist area, along with their key functionalities, and be able to articulate these to patients in lay language,” the report says.
“Clinicians should resort to checking the permissions requested by the apps to access sensitive resources such as cameras, microphones, or locations; examine the app’s privacy policy; or review the app’s privacy behaviour,” the authors suggested
Data harvesting pervasive
Using a variety of data capture and analysis tools, the researchers did a privacy audit of more than 8,000 medical apps and 13,000 health and fitness apps for Android phones available on the Google Play store in Australia.
They focused on 15,800 mHealth apps that were free to download and use, and compared them with more than 8000 non-health apps.
They found that 88% of the mHealth apps included code that could potentially collect user data, and 4% transmitted user information in their traffic.
There were particular concerns about the collection and transmission of sensitive information such as users’ GPS locations and passwords using insecure communications channels.
“Despite these issues being topical, our analysis of mHealth app reviews showed that app users seem to have a limited awareness of the privacy conduct of the apps,” Dr Ikram and colleagues said, noting that privacy complaints did not feature largely in online reviews.
Dr Ikram said he was surprised by the apparent lack of attention to privacy issues among app users, and proposed that a government agency or medical group could draft guidelines for clinicians so they can advise users about potential risks.
The report found that 28% of the mHealth apps surveyed had no privacy policy attached, although the declaration of a policy was no guarantee of protection. Less than half of the apps with a privacy policy were compliant.
The research also shed light on prominence of big tech players as third parties in data harvesting, finding that 50 prominent services led by Google were responsible for 70% of data collection via app code and data transmissions.
Tracking features posed problems not only because of the sensitive information that may be involved but also because of “the use of a business model that is centred on selling subscriptions or sharing user data, and the lack of enforcement standards around the world”, the report said.
The authors also recommended that Google Play and Apple Store should vet developers’ privacy policies before making apps available.