7 Tips To Make Your Mobile Health App More Secure
By Pavel Novik, QA head of department, a1qa.
Mobile health apps have raised the healthcare industry to a new level. Now consumers have an opportunity to track their blood pressure, pulse rate, input their symptoms that will then be analyzed by the ML app on the go. Without visiting the doctor’s office, we can now monitor our health condition and even connect with the provider by sending an in-app message and getting the consultation within hours.
No doubt, mobile health apps are now being developed at a high pace, however, not without dangers. Probably the most common cause of worry is how the software products approach security and data privacy issues.
With no opportunities to seal users’ health records, can we be sure that the confidential information isn’t exposed?
7 tips to help deliver a secure mHealth app
- Collect only the needed data
The main tip is: don’t collect the data you don’t need. Collect the information with the clear purpose and regularly dispose of the data you no longer need.
- Check the legal regulations (GDPR, HIPAA, COPPA, etc.)
Check the legal regulations your app is subject to. It is important that the app is developed in compliance with security and privacy requirements defined by the GDPR that outlines the procedures of handling EU citizens data, HIPAA and COPPA (a new child-oriented edition of which will come into force in 2020) in the US. According to all this, users, for example, have a right to ask you to delete any data you’re storing or explain the reason what you need this or that piece of data for.
- Make sure users’ data is not shared with any third parties
Ascertain that you don’t share the data of your users with any third parties, e.g. social media companies or advertising agencies. Enhancing user experience and monetization are the natural goals of any app developer but be careful with this. Recently a number of mHealth apps have been accused of sharing user records with Facebook. You don’t want to be among them, right?
- Send push notification without confidential data
If you send push notifications, ensure they don’t include confidential health data.
- Protect the app code
Different vulnerabilities may exist in the source code and may be caused by the developers’ error or lack of code testing. What can be done about this? Protect the code with encryption and run constant code scanning.
- Run security and penetration testing
Proper mobile app security and pentesting will include the following stages.
- Preparation – the testing team gets information about the software product and possible events that may lead to its successful exploitation as well as prepares test documentation.
- Evaluation – the QA specialists evaluate the current security level of the app and recognize the potential vulnerabilities.
- Exploitation – security test engineers act as hackers trying to make use of the discovered bottlenecks.
- Reporting – the team presents the results to the stakeholders and gives recommendations on how the security level may be improved.
Don’t forget about performance and UX!