Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment

Poor information privacy practices have been identified in health apps. Medical app accreditation programs offer a mechanism for assuring the quality of apps; however, little is known about their ability to control information privacy risks. We aimed to assess the extent to which already-certified a...

Full description

Saved in:
Bibliographic Details
Main Authors: Huckvale, Kit, Prieto, José Tomás, Tilney, Myra, Benghozi, Pierre-Jean, Car, Josip
Other Authors: Lee Kong Chian School of Medicine (LKCMedicine)
Format: Article
Language:English
Published: 2015
Subjects:
NHS
Online Access:https://hdl.handle.net/10356/80980
http://hdl.handle.net/10220/39032
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
id sg-ntu-dr.10356-80980
record_format dspace
spelling sg-ntu-dr.10356-809802022-02-16T16:29:41Z Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment Huckvale, Kit Prieto, José Tomás Tilney, Myra Benghozi, Pierre-Jean Car, Josip Lee Kong Chian School of Medicine (LKCMedicine) Smartphone Mobile Confidentiality Apps Accreditation NHS Privacy Cross-sectional study Systematic assessment Poor information privacy practices have been identified in health apps. Medical app accreditation programs offer a mechanism for assuring the quality of apps; however, little is known about their ability to control information privacy risks. We aimed to assess the extent to which already-certified apps complied with data protection principles mandated by the largest national accreditation program. Methods: Cross-sectional, systematic, 6-month assessment of 79 apps certified as clinically safe and trustworthy by the UK NHS Health Apps Library. Protocol-based testing was used to characterize personal information collection, local-device storage and information transmission. Observed information handling practices were compared against privacy policy commitments. Results: The study revealed that 89% (n=7o/79) of apps transmitted information to online services. No app encrypted personal information stored locally. Furthermore, 66 % (23/35) of apps sending identifying information over the Internet did not use encryption and 20 % (7/35) did not have a privacy policy. Overall, 67 % (53/79) of apps had some form of privacy policy. No app collected or transmitted information that a policy explicitly stated it would not; however, 78 % (38/49) of information-transmitting apps with a policy did not describe the nature of personal information included in transmissions. Four apps sent both identifying and health information without encryption. Although the study was not designed to examine data handling after transmission to online services, security problems appeared to place users at risk of data theft in two cases. Conclusions: Systematic gaps in compliance with data protection principles in accredited health apps question whether certification programs relying substantially on developer disclosures can provide a trusted resource for patients and clinicians. Accreditation programs should, as a minimum, provide consistent and reliable warnings about possible threats and, ideally, require publishers to rectify vulnerabilities before apps are released. Published version 2015-12-10T06:54:32Z 2019-12-06T14:18:49Z 2015-12-10T06:54:32Z 2019-12-06T14:18:49Z 2015 Journal Article Huckvale, K., Prieto, J. T., Tilney, M., Benghozi, P.- J., & Car, J. (2015). Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment. BMC Medicine, 13, 214-. 1741-7015 https://hdl.handle.net/10356/80980 http://hdl.handle.net/10220/39032 10.1186/s12916-015-0444-y 26404673 en BMC Medicine © 2015 Huckvale et al. Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The Creative Commons Public Domain Dedication waiver (http://creativecommons.org/publicdomain/zero/1.0/) applies to the data made available in this article, unless otherwise stated. 13 p. application/pdf
institution Nanyang Technological University
building NTU Library
continent Asia
country Singapore
Singapore
content_provider NTU Library
collection DR-NTU
language English
topic Smartphone
Mobile
Confidentiality
Apps
Accreditation
NHS
Privacy
Cross-sectional study
Systematic assessment
spellingShingle Smartphone
Mobile
Confidentiality
Apps
Accreditation
NHS
Privacy
Cross-sectional study
Systematic assessment
Huckvale, Kit
Prieto, José Tomás
Tilney, Myra
Benghozi, Pierre-Jean
Car, Josip
Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment
description Poor information privacy practices have been identified in health apps. Medical app accreditation programs offer a mechanism for assuring the quality of apps; however, little is known about their ability to control information privacy risks. We aimed to assess the extent to which already-certified apps complied with data protection principles mandated by the largest national accreditation program. Methods: Cross-sectional, systematic, 6-month assessment of 79 apps certified as clinically safe and trustworthy by the UK NHS Health Apps Library. Protocol-based testing was used to characterize personal information collection, local-device storage and information transmission. Observed information handling practices were compared against privacy policy commitments. Results: The study revealed that 89% (n=7o/79) of apps transmitted information to online services. No app encrypted personal information stored locally. Furthermore, 66 % (23/35) of apps sending identifying information over the Internet did not use encryption and 20 % (7/35) did not have a privacy policy. Overall, 67 % (53/79) of apps had some form of privacy policy. No app collected or transmitted information that a policy explicitly stated it would not; however, 78 % (38/49) of information-transmitting apps with a policy did not describe the nature of personal information included in transmissions. Four apps sent both identifying and health information without encryption. Although the study was not designed to examine data handling after transmission to online services, security problems appeared to place users at risk of data theft in two cases. Conclusions: Systematic gaps in compliance with data protection principles in accredited health apps question whether certification programs relying substantially on developer disclosures can provide a trusted resource for patients and clinicians. Accreditation programs should, as a minimum, provide consistent and reliable warnings about possible threats and, ideally, require publishers to rectify vulnerabilities before apps are released.
author2 Lee Kong Chian School of Medicine (LKCMedicine)
author_facet Lee Kong Chian School of Medicine (LKCMedicine)
Huckvale, Kit
Prieto, José Tomás
Tilney, Myra
Benghozi, Pierre-Jean
Car, Josip
format Article
author Huckvale, Kit
Prieto, José Tomás
Tilney, Myra
Benghozi, Pierre-Jean
Car, Josip
author_sort Huckvale, Kit
title Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment
title_short Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment
title_full Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment
title_fullStr Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment
title_full_unstemmed Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment
title_sort unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment
publishDate 2015
url https://hdl.handle.net/10356/80980
http://hdl.handle.net/10220/39032
_version_ 1725985521941872640