Why hackers love health apps

Most health apps don't have good privacy or security safeguards.

WASHINGTON—That handy health app on your phone—the one with access to your medical history, your doctor’s name, even your home address—may be vulnerable to hackers. Technology experts discussed the risks at a House hearing July 14 with the Energy and Commerce subcommittee.

The fast growth of information technologies in the health care sector has outpaced the industry’s efforts to safeguard them. A report by IMS Health, a research and service provider for health care professionals, showed that more than 165,000 mobile health (or mHealth) apps were available in 2013. Many of the apps offer access to users’ electronic health records from doctors or hospitals.

Hackers particularly love the kind of medical information stored in health apps because it’s harder to change. A stolen credit card number can be cancelled, but medical histories, and the home addresses and Social Security numbers that often go into medical records—these things are hard to change and can therefore be sold for a higher price on the black market.

Few privacy policies and no regulation

Health apps are popular, but not very private. One-fifth of mobile devices in the United States have a health app installed. A study in the March issue of the Journal of the American Medical Association in March, however, showed that of 271 apps studied, 81 percent did not have privacy policies. Of the 19 percent (41 apps) that did have privacy policies, only four specified that they would seek permission before sharing data with third parties.

The act of selling of data collected by the apps isn’t regulated. Health apps also are not subject to privacy and security regulations in the Health Insurance Portability and Accountability Act (HIPAA).

Nicolas Terry, Indiana University Maurer School of Law Professor and a health care technologies regulation expert, called for Federal regulatory agencies to step in and create patient-information protections for the apps. “The most disruptive mobile health apps are those that are patient-facing,” Terry explained, referring to apps where information is directly available to users. Such a direct app-patient relationship lacks any professional buffer between the user and the information, he said. As a result, traditional regulation of safety, quality, and confidentiality suffer.

“Patient privacy should be well addressed. The selling of this information should be more transparent,” said Diane Johnson, director of the Strategic Regulatory at Johnson & Johnson, a multinational medical products and services provider that offers a number of mHealth apps. Johnson and others stressed that for mHealth app users, it’s a case of buyer beware.

Here's one ray of hope: Data saved in individual devices may be safer than data saved to clouds, said Bettina Experton, president of Humetrix, a health app developer based in Del Mar, California. Users’ information is “highly secure in personal devices,” Experton said. “Your phone can store securely when it’s encrypted. It’s in your hands and under your control.”

Join the CSO newsletter!

Error: Please check your email address.

Tags dataprivacy policiesinfosecappshealthmHealthPrivasechealth appsprivacysecurity in health

More about IMSTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Xuanyan Ouyang

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place