Unaddressed Privacy Risks in Accredited Health and Wellness Apps: a Cross-sectional Systematic Assessment

Overview

Journal BMC Med

Publisher Biomed Central

Specialty General Medicine

Date 2015 Sep 26

PMID 26404673

Citations 139

Authors

Kit Huckvale

Jose Tomas Prieto

Myra Tilney

Pierre-Jean Benghozi

Josip Car

Affiliations

Soon will be listed here.

Abstract

Background: Poor information privacy practices have been identified in health apps. Medical app accreditation programs offer a mechanism for assuring the quality of apps; however, little is known about their ability to control information privacy risks. We aimed to assess the extent to which already-certified apps complied with data protection principles mandated by the largest national accreditation program.

Methods: Cross-sectional, systematic, 6-month assessment of 79 apps certified as clinically safe and trustworthy by the UK NHS Health Apps Library. Protocol-based testing was used to characterize personal information collection, local-device storage and information transmission. Observed information handling practices were compared against privacy policy commitments.

Results: The study revealed that 89% (n = 70/79) of apps transmitted information to online services. No app encrypted personal information stored locally. Furthermore, 66% (23/35) of apps sending identifying information over the Internet did not use encryption and 20% (7/35) did not have a privacy policy. Overall, 67% (53/79) of apps had some form of privacy policy. No app collected or transmitted information that a policy explicitly stated it would not; however, 78% (38/49) of information-transmitting apps with a policy did not describe the nature of personal information included in transmissions. Four apps sent both identifying and health information without encryption. Although the study was not designed to examine data handling after transmission to online services, security problems appeared to place users at risk of data theft in two cases.

Conclusions: Systematic gaps in compliance with data protection principles in accredited health apps question whether certification programs relying substantially on developer disclosures can provide a trusted resource for patients and clinicians. Accreditation programs should, as a minimum, provide consistent and reliable warnings about possible threats and, ideally, require publishers to rectify vulnerabilities before apps are released.

Citing Articles

Comparative Effectiveness of Wearable Devices and Built-In Step Counters in Reducing Metabolic Syndrome Risk in South Korea: Population-Based Cohort Study.

Joung K, An S, Bang J, Kim K JMIR Mhealth Uhealth. 2025; 13:e64527.

PMID: 39999338 PMC: 11878715. DOI: 10.2196/64527.

Digital therapeutics as an emerging new therapy for diabetes mellitus: potentials and concerns.

Li S, Tao J, Tang J, Chu Y, Wu H Endocr Connect. 2024; .

PMID: 38963663 PMC: 11378137. DOI: 10.1530/EC-24-0219.

A mixed methods analysis of existing assessment and evaluation tools (AETs) for mental health applications.

Ahmed S, Trimmer C, Khan W, Tuck A, Rodak T, Agic B Front Public Health. 2024; 12:1196491.

PMID: 38774052 PMC: 11106355. DOI: 10.3389/fpubh.2024.1196491.

Quality assessment of mHealth apps: a scoping review.

Giebel G, Speckemeier C, Schrader N, Abels C, Plescher F, Hillerich V Front Health Serv. 2024; 4:1372871.

PMID: 38751854 PMC: 11094264. DOI: 10.3389/frhs.2024.1372871.

Exploring individual's public trust in the NHS Test and Trace System - A pragmatic reflexive thematic analysis.

Babbage C, Wagner H, Dowthwaite L, Portillo V, Perez E, Fischer J Internet Interv. 2024; 36:100740.

PMID: 38634005 PMC: 11021953. DOI: 10.1016/j.invent.2024.100740.

References

He D, Naveed M, Gunter C, Nahrstedt K . Security Concerns in Android mHealth Apps. AMIA Annu Symp Proc. 2015; 2014:645-54. PMC: 4419898. View

Klasnja P, Pratt W . Healthcare in the pocket: mapping the space of mobile-phone health interventions. J Biomed Inform. 2011; 45(1):184-98. PMC: 3272165. DOI: 10.1016/j.jbi.2011.08.017. View

Yang Y, Silverman R . Mobile health applications: the patchwork of legal and liability issues suggests strategies to improve oversight. Health Aff (Millwood). 2014; 33(2):222-7. DOI: 10.1377/hlthaff.2013.0958. View

Dehling T, Gao F, Schneider S, Sunyaev A . Exploring the Far Side of Mobile Health: Information Security and Privacy of Mobile Health Apps on iOS and Android. JMIR Mhealth Uhealth. 2015; 3(1):e8. PMC: 4319144. DOI: 10.2196/mhealth.3672. View

Steinhubl S, Muse E, Topol E . Can mobile health technologies transform health care?. JAMA. 2013; 310(22):2395-6. DOI: 10.1001/jama.2013.281078. View

Hall J, McGraw D . For telehealth to succeed, privacy and security risks must be identified and addressed. Health Aff (Millwood). 2014; 33(2):216-21. DOI: 10.1377/hlthaff.2013.0997. View

Abbas A, Khan S . A review on the state-of-the-art privacy-preserving approaches in the e-health clouds. IEEE J Biomed Health Inform. 2014; 18(4):1431-41. DOI: 10.1109/JBHI.2014.2300846. View

Huckvale K, Car J . Implementation of mobile health tools. JAMA. 2014; 311(14):1447-8. DOI: 10.1001/jama.2014.1106. View

Martinez-Perez B, De la Torre-Diez I, Lopez-Coronado M . Privacy and security in mobile health apps: a review and recommendations. J Med Syst. 2014; 39(1):181. DOI: 10.1007/s10916-014-0181-3. View

10.

Sunyaev A, Dehling T, Taylor P, Mandl K . Availability and quality of mobile health app privacy policies. J Am Med Inform Assoc. 2014; 22(e1):e28-33. PMC: 11888337. DOI: 10.1136/amiajnl-2013-002605. View

11.

Agaku I, Adisa A, Ayo-Yusuf O, Connolly G . Concern about security and privacy, and perceived control over collection and use of health information are related to withholding of health information from healthcare providers. J Am Med Inform Assoc. 2013; 21(2):374-8. PMC: 3932467. DOI: 10.1136/amiajnl-2013-002079. View

12.

Cortez N, Cohen I, Kesselheim A . FDA regulation of mobile health technologies. N Engl J Med. 2014; 371(4):372-9. DOI: 10.1056/NEJMhle1403384. View