Guest post by Domingo Guerra, president & co-founder, Appthority.
Last year, 2013, was a big year for mobile applications, including medical and health-related apps. As many medical centers have sought to increase patient engagement, improve outcomes and reduce healthcare costs, digital tools, such as iPads, smartphones, online portals and text messaging in hospitals are rapidly becoming commonplace. Smart health tech has gotten serious. Patients and doctors alike use medical apps. Physicians can access symptom checkers, drug information, medical calculators and more via smartphone and tablet apps. Patients can use apps to find doctors, set appointments, order prescriptions, receive test results, track calories, measure their heart rates and even monitor chronic diseases like diabetes. Patients and doctors agree that the immediate feedback and increase in available data will change the face of medicine. But will the face of privacy change with it?
Acquiring huge amounts of personal data from individuals could enable a more personalized and data driven approach to medicine. This is a very seductive concept, based on the implicit assumption that the more healthcare providers know about the patient, from analyzing his or her data, the better (and more customized) care the patient will receive. However, personal data, now collected and collated by the user’s health gadget, will be incredibly valuable to more than just the patient and the provider. Devices, whether they’re Google Glass or fitness wristbands will need to be integrated with newly developed apps, and existing apps will need to be heavily adapted to work properly. These technology integrations can potentially open back doors that allow cybercriminals to enter and extract sensitive data.
The aggregated data gathered from a wearable wristband capable of tracking a user’s heart rate, and expiration rates along with their blood sugar level and, of course, location can offer a truly comprehensive view of a user. Yes, it’s still early in the healthcare wearables space, but it was “early” in the mobile and BYOD spaces not long ago. Just as BYOD has led to security concerns for sensitive corporate data, these new healthcare devices should be a concern for personal privacy. As users are now literally plugging themselves into the Internet, it’s important to remember that cyber attackers can gain details about daily routines, patterns, and lifestyle, as well as location. This private information, tied together in a dossier that can include a user’s location, income, health status, and other attributes such as sexual orientation, could be of interest to many other groups.
Beyond exterior threats, medical apps themselves may be the offenders when it comes to keeping data safe. A user’s phone number, device IMEI number, exact geolocation, wireless carrier and more are only as safe as an app is secure. If an app user’s data is unencrypted, the data can be intercepted. Meaning someone could intercept the information, whether it be the user’s past searches within the app, or historical medical data, meant for the user’s care provider. The number of things someone could do with this data is unnerving.
And don’t forget the advertising networks … many Android and iOS apps show risky behaviors, and this is largely driven by third-party ad networks. According to recent research from Gartner, the number of free, quality mobile applications, means that consumer expectations are biased against paying for apps. That has triggered mobile app developers to get creative when it comes to making apps they can profit from. Mobile app developers dreaming of Snapchat-like riches, may settle on ad networks as monetization models to help them maximize the revenue of their mobile apps. Unfortunately, this can leave the app user and their data, out to dry.
Appthority’s Winter 2014 App Reputation Report showed that 95 percent of the top 200 free apps (across multiple verticals) performed at least one risky behavior, such as location tracking, identifying the user or device or sharing data with advertising networks. Paying for an application doesn’t make the user any safer. More than a 25 percent of paid apps (across multiple verticals) share information with ad networks and analytics companies. Some developers resell users’ data, first by creating the code, and secondly by including a note in the End User License Agreement (EULA) that this is being done. Many users unwittingly approve their data being sold to data brokers.
The number of health-related mobile apps continues to grow – as does their use. What can be done? The lessons we’ve learned from the proliferation of mobile medical apps and the explosion of interest in mobile technology should be carefully applied as healthcare undergoes an increasing hunger for more smart gadgets, devices and apps.
The mobile medical app and wearable space is just beginning to take off, but as soon as data starts being sent to medical and insurance providers (which may offer discounts for healthy behaviors) we’ll see more government involvement and regulation. Therefore, the process of developing and manufacturing safe medical apps requires two distinct stages: Apps must be checked for risky behaviors and the public and private sector must commit to create standards and adopt them.
While Appthority offers deep visibility into risky app behaviors, there also needs to be clear regulatory standards for medical apps, to encourage more innovative app development that doesn’t leave security and privacy as an afterthought. Most importantly, this will give users and care providers the assurance of knowing which medical apps are, in fact, keeping health and privacy the top priorities.