everythingpossible - Fotolia

NHS-approved healthcare apps found to be leaking unencrypted user data

A study into the data security of NHS healthcare apps highlights serious privacy shortcomings

A range of healthcare apps approved for use by the NHS have been found to leak data about their users, with many failing to encrypt the patient information they send over the internet.

That’s one of the key findings of a recent study, co-authored by researchers from Imperial College London, into the data privacy risks posed by the software listed in the NHS Health Apps Library.

The online resource was set up in March 2013 to provide users with access to a range of health monitoring and treatment apps that people can scroll through before downloading them from the Apple App Store or Google Play marketplace.

Despite having access to markedly more sensitive types of personal data, these apps offer no more protection for user information than those featured in more general-purpose app stores that go unvetted by the NHS, the accompanying report into the research stated.

The researchers carried out a six-month assessment of all 79 of the library’s apps, which had been certified by its curators as being “clinically safe” and “trustworthy”, and saw the researchers alternating between daily and less frequent, intermittent interaction.

“Testing was used to characterise app features, explore data collection and transmission behaviour, and identify adherence to data protection principles concerning information security,” the study said.

The research revealed that 89% of the apps transmitted information to online services, and none of them encrypted the personal data of their users when it was stored locally on their devices.

Read more about app security

Furthermore, 66% also failed to use encryption when similar data was sent from the apps over the internet, and two apps were pinpointed as featuring security issues that could leave users at risk of data theft.

“Two cloud-based apps had critical privacy vulnerabilities; weaknesses of design that could be intentionally exploited to obtain user information. As long as these vulnerabilities persist, the privacy of users is in jeopardy,” the report warned.

The study also found 20% failed to have a privacy policy setting out the steps they take to safeguard users’ personal information, although none of the apps were found to transmit information that they promised not to.

“Apps available through the NHS Health Apps Library exhibited substantial variation in compliance with data protection principles, demonstrated both by the availability and content of privacy policies, and adherence to recommended practices for confidentiality enforcement,” the report continued.

“[This] raises concerns about that about potential risks to users and questions the ability of accreditation processes relying substantially on developer self-certification to ensure adherence to data protection principles.”

This is an issue that needs to be addressed by regulators, the report concluded, as data security concerns could put some users off using these apps, despite their clinical value.

“If patients or the public are deterred from using apps because of questions of trust, then the potential clinical benefits of health will not be realised,” it added.

Read more on Healthcare and NHS IT