Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment
File(s)s12916-015-0444-y.pdf (545.73 KB)
Published version
Author(s)
Huckvale, K
Prieto, JT
Tilney, MYRA
Benghozi, P-J
Car, JOSIP
Type
Journal Article
Abstract
Background Poor information privacy practices have been identified in health apps. Medical app accreditation programs offer a mechanism for assuring the quality of apps; however, little is known about their ability to control information privacy risks. We aimed to assess the extent to which already-certified apps complied with data protection principles mandated by the largest national accreditation program. Methods Cross-sectional, systematic, 6-month assessment of 79 apps certified as clinically safe and trustworthy by the UK NHS Health Apps Library. Protocol-based testing was used to characterize personal information collection, local-device storage and information transmission. Observed information handling practices were compared against privacy policy commitments. Results The study revealed that 89 % (n = 70/79) of apps transmitted information to online services. No app encrypted personal information stored locally. Furthermore, 66 % (23/35) of apps sending identifying information over the Internet did not use encryption and 20 % (7/35) did not have a privacy policy. Overall, 67 % (53/79) of apps had some form of privacy policy. No app collected or transmitted information that a policy explicitly stated it would not; however, 78 % (38/49) of information-transmitting apps with a policy did not describe the nature of personal information included in transmissions. Four apps sent both identifying and health information without encryption. Although the study was not designed to examine data handling after transmission to online services, security problems appeared to place users at risk of data theft in two cases. Conclusions Systematic gaps in compliance with data protection principles in accredited health apps question whether certification programs relying substantially on developer disclosures can provide a trusted resource for patients and clinicians. Accreditation programs should, as a minimum, provide consistent and reliable warnings about possible threats and, ideally, require publishers to rectify vulnerabilities before apps are released.
Date Issued
2015-09-25
Online Publication Date
2015-09-07
2015-09-30T10:21:51Z
Date Acceptance
2015-08-07
ISSN
1741-7015
Publisher
BioMed Central
Journal / Book Title
BMC Medicine
Volume
13
Issue
1
Copyright Statement
© 2015 Huckvale et al.
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The Creative Commons Public Domain Dedication waiver (http://creativecommons.org/publicdomain/zero/1.0/) applies to the data made available in this article, unless otherwise stated.
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The Creative Commons Public Domain Dedication waiver (http://creativecommons.org/publicdomain/zero/1.0/) applies to the data made available in this article, unless otherwise stated.
Source Database
manual-entry
Identifier
https://bmcmedicine.biomedcentral.com/articles/10.1186/s12916-015-0444-y
Subjects
Science & Technology
Life Sciences & Biomedicine
Medicine, General & Internal
General & Internal Medicine
Smartphone
Mobile
Apps
Accreditation
NHS
Privacy
Confidentiality
Cross-sectional study
Systematic assessment
SECURITY
INFORMATION
Computer Security
Confidentiality
Cross-Sectional Studies
Humans
Internet
National Health Programs
Risk Assessment
Software
United Kingdom
Humans
Risk Assessment
Cross-Sectional Studies
Confidentiality
Computer Security
Internet
Software
National Health Programs
United Kingdom
Smartphone
Mobile
Apps
Accreditation
NHS
Privacy
Confidentiality
Cross-sectional study
Systematic assessment
11 Medical and Health Sciences
General & Internal Medicine
Publication Status
Published
Article Number
214