Be careful when using a mobile health app



Given the unhealthy data collection habits of some mHealth apps, it’s advisable to exercise caution when choosing who you share some of your most sensitive data with.

A Prescription for Privacy: Be Careful When Using a Mobile Health App

In today’s digital economy, there’s an app for just about everything. One growing field is healthcare. From period tracking and fertility to mental health and mindfulness, there are mobile health (mHealth) apps available to help with almost any condition. In fact, this is a market that is already experiencing double-digit growth and is expected to be worth approximately $861 billion by 2030.

But when you use these apps, you might be sharing some of the most sensitive data you have. In fact, the GDPR classifications medical information is considered “special category” data, meaning it could “create significant risks to the individual’s fundamental rights and freedoms” if disclosed. That’s why regulators are requiring organizations to provide additional protections.

Unfortunately, not all app developers always have their users’ best interests in mind or know how to protect them. They may skimp on data protection measures, or not always to specify about how much of your personal information they share with third parties. With that in mind, let’s take a look at the main privacy and security risks of using these apps, and how you can stay safe.

What are the biggest privacy and security risks in healthcare apps?

The main risks of using mHealth apps fall into three categories: insufficient data security, excessive data sharing, and poorly worded or deliberately evasive privacy policies.

1. Data security concerns

These problems often arise from developers not following cybersecurity best practices. They could include:

  • Applications that are no longer supported or not receiving updates: Vendors may not have a vulnerability disclosure/management program in place or may have little interest in updating their products. Whatever the reason, if the software isn’t receiving updates, it means it may be riddled with vulnerabilities that attackers can exploit to steal your data.
  • Insecure protocols: Applications that use insecure communication protocols can put users at risk of hackers intercepting their data in transit from the application to the provider’s back-end or cloud servers, where it is processed.
  • No multi-factor authentication (MFA): Most reputable services today offer MFA as a way to increase security at the login stage. Without it, hackers could obtain your password via phishing or a separate breach (if you reuse passwords in different apps) and log in as if they were you.
  • Poor password management: For example, apps that allow users to keep default passwords or set insecure credentials such as “passw0rd” or “111111.” This exposes the user to credential stuffing and other brute force attempts to hack their accounts.
  • Enterprise Security: Application publishers may also have limited security controls and processes in place within their own data storage environment. This may include poor user awareness training, limited malware and endpoint/network detection, lack of data encryption, limited access controls, and lack of vulnerability management processes or incident response. All of this increases the chances of them experiencing a data breach.

2. Excessive data sharing

User health information (PHI) may include highly sensitive details about sexually transmitted diseases, substance abuse, or other stigmatized conditions. These may be sold or shared with third parties, including advertisers for marketing purposes and targeted advertising. Among the examples rated by Mozilla are mHealth providers who:

  • combine user information with data purchased from data brokers, social networking sites and other vendors to create more comprehensive identity profiles,
  • do not allow users to request deletion of specific data,
  • use inferences made about users when they respond to registration questionnaires that ask revealing questions about sexual orientation, depression, gender identity and more,
  • allow third-party session cookies that identify and track users across other websites to serve relevant advertisements,
  • Allow session recording, which monitors mouse movements, scrolling, and user typing.

3. Unclear privacy policies

Some mHealth providers may not be upfront about some of the privacy practices above, using vague language or hiding their activities in the fine print of terms and conditions. This can give users a false sense of security/privacy.


What the law says

  • GDPR: Europe’s flagship data protection law is fairly unequivocal regarding organizations handling special categories of personal health data. Developers must carry out privacy impact assessments, respect the principles of the right to erasure and data minimization and take “appropriate technical measures” to ensure that “necessary safeguards” are incorporated to protect privacy. personal data.
  • HIPAA: mHealth applications offered by commercial providers intended for use by individuals are not covered by HIPAA because the providers are not “covered entity” Or “partner.” However, some are – and require the implementation of appropriate administrative, physical and technical safeguards, as well as an annual payment. Risk analysis.
  • CCPA and CMIA: California residents have two pieces of legislation protecting their security and privacy in the context of mobile health: the Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA). These requests a high level of data protection and explicit consent. However, they only apply to Californians.

Take Steps to Protect Your Privacy

Everyone will have a different risk appetite. Some will find the compromise between personalized services/advertising and privacy they are willing to make. Others may not worry if some medical data is breached or sold to third parties. It’s about finding the right balance. If you are concerned, consider the following:

  • Do your research before downloading. Find out what other users are saying and if there are any red flags from trusted reviewers
  • Limit what you share through these apps and assume that everything you say can be shared
  • Do not connect the app to your social media accounts or use them to log in. This will limit the data that can be shared with these companies.
  • Don’t give apps permission to access camera, location, etc. of your device.
  • Limit ad tracking in your phone’s privacy settings
  • Always use MFA when offered and create strong, unique passwords
  • Keep the app on the latest (most secure) version

Since Roe vs. Wade was overturned, the mHealth privacy debate has taken a worrying turn. A few sounded the alarm that data from period tracking devices could be used in lawsuits against women seeking to terminate their pregnancies. For a growing number of people looking for privacy-friendly mHealth apps, the stakes couldn’t be higher.

Leave a comment