Monday, 28 September 2015

UK National Health Service accredited apps leak medical data

A number of UK National Health Service (NHS) accredited smartphone health apps do not properly secure customer data and have poor information privacy practices, according to researchers at Imperial College London, who checked 79 of the 230-plus apps available in NHS England's Health Apps Library.

Apps in the library are supposed to be compliant with data protection legislation and undergo tests to ensure they meet standards of clinical and data safety. But despite this vetting, the researchers found that many of the apps weren't up to the required standard with some ignoring privacy standards, and nearly a third (29 per cent) sending the data ,which included both personal and health data, without any encryption at all. The majority also sent personal data to an third party associated online service.

"If we were talking about health apps generally in the consumer space, then what we found would not be surprising," said Kit Huckvale, a PhD student at Imperial College London, who co-wrote the study, suggesting that the NHS vetting procedures should conform to a higher standard.
The study sent bogus user data to all 79 apps in the study, and looked into how this was handled, eventually exposing those with poor security.  Four apps sent both identifying and health information without encryption. Although the study was not designed to examine data handling after transmission to online services, security problems appeared to place users at risk of data theft in two cases. The NHS has since claimed that it has removed the apps that are vulnerable, or has contacted the developers to insist they were updated.

But the findings are not surprising. After all, in June, NHS England was put under scrutiny for its review criteria for the Health Apps Library. The criteria were designed to provide a framework to assess those apps for suitability before they're published for the public to download - but they had been labelled weak, and furthermore it seemed as if some of the apps failed to meet even that low standard.

At the time, Phil Booth, co-ordinator at health privacy campaign group medConfidential, described the review criteria as "very weak", and added that his organisation had given feedback to NHS England on how some of the apps could be improved, but that the advice appeared to have been ignored.  For example the five step approval process is heavily focused on ensuring the information the app supplies is from an approved source and there appears to be little or no assessment of the apps suitability to handle or transmit data securely.

"Unfortunately, not all of the apps currently in the library even meet the criteria they supposedly should. And, despite having provided detailed and specific feedback on a number of these apps using the provided feedback forms on the relevant web pages SIX weeks ago, we have had no response - and nothing appears to have changed on the site."  At that time however a spokesperson from NHS England went directly to denial mode and claimed that the newly published report was out of date and that NHS Choices has improved slightly since it was written. Well that’s okay then except for the fact nothing whatsoever has been fixed.

The findings of the Imperial College London study suggest that NHS England failed to take notice of medConfidential's advice. It is likely that the Health Apps Library could be another major IT project fail for the NHS. It appears the NHS is taking a purely reactive stance to ensuring the library contains secure apps, as opposed to an eminently more sensible (considering what’s at stake) proactive approach, and this may well lead to personal and health data getting into the hands of criminals.

The NHS is just one amongst many organisations that needs to get up to speed with the criminal reality that is todays cyber world.