Study: Many health apps insecure, do not conform to EU privacy requirements

Executive Summary

We came across a great article written by Dave Muoio that we are sharing below on the topic of maintaining privacy and security.

One of the biggest concerns in the realm of mobile health apps today is that a number of popular health apps have major privacy and security shortcomings. mHealth apps carry and collect a lot of personal and sensitive data, which is why it is crucial for them to follow the security regulations set out for the protection of their client's privacy. However many medical device software contains either security flaws due to poor design choices and implementation or come under attack from hackers.

Contact Person: Dave Muoio, MobiHealthNews, February 12, 2018

We are interested in generating some discussion on this topic in our Healthcare Privacy Community Please visit this space to join the conversation.


Data from a recent analysis suggest that a substantial number of popular health apps have major privacy and security shortcomings, with many not following standard practices and upcoming European Union data safety regulations.

The study, which examined a selection of 20 apps from the top 1080 of the “Medical” and “Health and Fitness” sections of the Google Play store, identified a number of minor and major security openings common to the offerings that hackers would likely be able to exploit. These included a lack of encryption, the use of GET instead of POST requests for sensitive data transmission, and insecure programming practices.

“Even though enforcing security and privacy requirements in mobile apps is admittedly not an easily achievable task, when sensitive data are at stake one would expect mHealth applications to follow well-known security and privacy guidelines and legally binding data protection provision to guarantee data privacy and safety,” researchers from the Institute of Electrical and Electronic Engineers (IEEE) wrote in the journal IEEE Access. “However, many popular apps, which process sensitive data, often fail to provide even basic protection to users’ privacy due to either inappropriate implementations or poor design choices.”

To be included in the analysis, each of the 20 apps had to be free, in English, have been downloaded at least 100,000 times, and require users to input health or personal data that would be transmitted to a remote host. Generally, these apps fell within three major categories: pregnancy and baby growth, health agendas and symptom managers, and blood pressure or diabetes support. To gauge what data could be accessed by outside parties and how safely data was being communicated, the team ran each app through a multi-step analysis process and highlighted any common pitfalls or trends they found.

The team found “numerous” shortcomings among the apps, with many violating notable data protection regulations intended to prevent inappropriate disclosure of health data — conditions, symptoms, photos, location, emails, and passwords — to third parties. They wrote that they observed a general lack of encryption, frequent use of less secure HTTP request methods for sensitive data transmission, and other insecure programming practices across many of the apps.

Further, many of the apps fell short of various privacy stipulations laid out by the EU’s General Data Protection Regulation, a data privacy measure adopted by the European Commission in 2016 and set to become directly applicable in May 2018.

“In light of the above, security experts and privacy advocates raise the alarm about the potential privacy harms that derive from m-health apps processing personal and sensitive data, and urge for suitable countermeasures,” the team wrote.

Online healthcare services are a major target for data thieves that can be hit with numerous attacks within minutes of going online, according to another recent report from Armor Security Solutions. After constructing decoy server instances designed to resemble a web portal and site for a fake doctor’s office, the cloud security company saw their honeypot scanned roughly 2,500 times per week. More than 70 percent of the threats were SSH brute force authentication attacks, they reported, and were likely automated using a list of common usernames and passwords to gain access.