News Release

Information handling by some health apps not as secure as it should be

Peer-Reviewed Publication

BMC (BioMed Central)

Some health apps that have been clinically-accredited may not have been complying with principles of data protection, according to research published in the open access journal BMC Medicine. In some instances health apps were found to be sending unencrypted personal and health information, which means users of these apps may have had their privacy put at risk.

Use of smartphone health apps is now at an all-time high. It is currently estimated that one and a half billion smartphone users have a health app installed and this number is set to treble in the next three years. One quarter of US adults have reported using one or more health apps and a third of physicians have recommended an app to a patient.

As a way of reassuring users about the quality and safety of health apps, several app accreditation programs have been launched. One such program is the UK's NHS Health Apps Library, which is a curated list of apps for patient and public use. Registered apps undergo an appraisal process that examines clinical safety and compliance with data protection law. To be listed in the Health Apps Library, developers are required to declare any data transmissions and register with the UK's Information Commissioner's Office - the body that enforces the Data Protection Act.

Lead researcher, Kit Huckvale, Imperial College London, UK, says: "Our study suggests that the privacy of users of accredited apps may have been unnecessarily put at risk, and challenges claims of trustworthiness offered by the current national accreditation scheme being run through the NHS. The results of the study provide an opportunity for action to address these concerns, and minimize the risk of a future privacy breach. To help with this, we have already supplied our findings and data to the NHS Health Apps Library."

The researchers from Imperial College London, UK, and Ecole Polytechnique CNRS, France, reviewed 79 apps that were listed on the UK NHS Health Apps Library in July 2013 and are available on Android and iOS platforms. The apps covered health areas such as weight loss, alcohol harm reduction, smoking cessation and long-term condition self-care.

The apps were assessed over a six-month period by inputting simulated information, tracking the handling of this information, and looking at how this agreed with any associated privacy policies. Of the apps reviewed, it was found that 70 of the apps transmitted information to online services and 23 of those sent identifying information over the internet without encryption. Of the 38 apps that had a privacy policy and transmitted information, the privacy policy did not state what personal information would be included in the transmissions. Four apps were found to be sending both identifying and health information without encryption.

Kit Huckvale says: "It is known that apps available through general marketplaces had poor and variable privacy practices, for example, failing to disclose personal data collected and sent to a third party. However, it was assumed that accredited apps - those that had been badged as trustworthy by organizational programs such as the UK's NHS Health Apps Library - would be free of such issues."

Paul Wicks from PatientsLikeMe - a health information sharing website for patients - has written an accompanying commentary, and says: "A proper balance must be struck between innovation and caution, patient safety must be paramount. The potential for benefit remains vast and the degree of innovation is inspiring - but it turns out we are much earlier in the maturation phase of medical apps than many of us would have liked to believe. To build the future we want, in which patients can trust their medical apps, we need to verify that they function as intended."

###

Media Contact
Shane Canning
Senior Press Manager
BioMed Central
T: +44 (0)20 3192 2243
M: +44 (0) 78 2598 4543
E: Shane.Canning@biomedcentral.com

Notes to editor:

1. Research article

Research article
Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment
Kit Huckvale, José Tomás Prieto, Myra Tilney, Pierre-Jean Benghozi and Josip Car
BMC Medicine 2015

For a copy of the article during the embargo period contact Shane Canning (shane.canning@biomedcentral.com)

After embargo, article available at journal website here: http://dx.doi.org/10.1186/s12916-015-0444-y

Commentary
'Trust but verify' - Five approaches to ensure safe medical apps
Paul Wicks and Emil Chiauzzi
BMC Medicine 2015

After embargo, article available at journal website here: http://dx.doi.org/10.1186/s12916-015-0451-z

Please name the journal in any story you write. If you are writing for the web, please link to the article. All articles are available free of charge, according to BioMed Central's open access policy.

2. BMC Medicine is the flagship medical journal of the BMC series, publishing original research, commentaries and reviews that are either of significant interest to all areas of medicine and clinical practice, or provide key translational or clinical advances in a specific field.

3. BioMed Central is an STM (Science, Technology and Medicine) publisher which has pioneered the open access publishing model. All peer-reviewed research articles published by BioMed Central are made immediately and freely accessible online, and are licensed to allow redistribution and reuse. BioMed Central is part of Springer Science+Business Media, a leading global publisher in the STM sector. http://www.biomedcentral.com


Disclaimer: AAAS and EurekAlert! are not responsible for the accuracy of news releases posted to EurekAlert! by contributing institutions or for the use of any information through the EurekAlert system.