Given the unhealthy data-collection habits of some mHealth apps, you're well advised to exercise caution when choosing with whom you share some of your most sensitive data.
In today's digital economy, there's an app for just about everything. One area that's booming more than most is healthcare. From period and fertility trackers to mental health and mindfulness, there are mobile health (mHealth) applications available to help with almost any condition. In fact, it's a market already experiencing double-digit growth and is set to be worth an estimated $861 billion by 2030.
But when using these apps, you could be sharing some of the most sensitive data you possess. In fact, the GDPR classifies medical information as "special category" data, meaning it could "create significant risks to the individual's fundamental rights and freedoms" if disclosed. That's why regulators mandate organizations provide extra protections for it.
Unfortunately, not all app developers have the best interests of their users in mind or always know how to protect them. They may skimp on data protection measures, or they may not always make it clear as to how much of your personal information they share with third parties. With that in mind, let's take a look at the main privacy and security risks of using these apps and how you can stay safe.
What are the top health app privacy and security risks?
The main risks of using mHealth apps fall into three categories: insufficient data security, excessive data sharing, and poorly worded or deliberately evasive privacy policies.
1. Data security concerns
These often stem from developers failing to follow best practice rules on cybersecurity. They could include:
Apps that are no longer supported or don't receive updates: Vendors may not have a vulnerability disclosure/management program in place, or take little interest in updating their products. Whatever the reason, if software doesn't receive updates, it means it may be riddled with vulnerabilities which attackers can exploit to steal your data.
Insecure protocols: Apps that use insecure communications protocols may expose users to the risk of hackers intercepting their data in transit from the app to the provider's back-end or cloud servers, where it's processed.
No multi-factor authentication (MFA): Most reputable services today offer MFA as a way to bolster security at the log-in stage. Without it, hackers could obtain your password via phishing or a separate breach (if you reuse passwords across different apps) and log in as if they were you.
Poor password management: For example, apps that allow users to keep factory default passwords, or set insecure credentials such as "passw0rd" or "111111." This leaves the user exposed to credential stuffing and other brute force attempts to crack their accounts.
Enterprise security: App companies may also have limited security controls and processes in place in their own data storage environment. This could include poor user awareness training, limited anti-malware and endpoint/network detection, no data encryption, limited access controls, and no vulnerability management or incident response processes in place. These all increase the chances they could suffer a data breach.
2. Excessive data sharing
Users' health information (PHI) may include highly sensitive details about sexually transmitted diseases, substance addition or other stigmatised conditions. These may be sold or shared to third parties, including advertisers for marketing and targeted ads. Among the examples noted by Mozilla are mHealth providers that:
combine information on users with data bought from data brokers, social media sites and other providers to build more complete identity profiles,
do not allow users to request deletion of specific data,
use inferences made about users when they take sign-up questionnaires which ask revealing questions about sexual orientation, depression, gender identity and more,
allow third-party session cookies whi...