A number of UK National Health Service (NHS) accredited smartphone
health apps do not properly secure customer data and have poor information
privacy practices, according to researchers at Imperial College London, who
checked 79 of the 230-plus apps available in NHS England's Health Apps Library.
Apps in the library are supposed to be
compliant with data protection legislation and undergo tests to ensure they
meet standards of clinical and data safety. But despite this vetting, the
researchers found that many of the apps weren't up to the required standard with
some ignoring privacy standards, and nearly a third (29 per cent) sending the
data ,which included both personal and health data, without any encryption at
all. The majority also sent personal data to an third party associated online
service.
"If we were talking about health apps generally in the consumer space,
then what we found would not be surprising," said Kit Huckvale, a PhD
student at Imperial College London, who co-wrote the study, suggesting that the
NHS vetting procedures should conform to a higher standard.
The study sent bogus user data to all 79 apps in the study, and looked
into how this was handled, eventually exposing those with poor security. Four apps sent both identifying and health
information without encryption. Although the study was not designed to examine
data handling after transmission to online services, security problems appeared
to place users at risk of data theft in two cases. The NHS has since claimed
that it has removed the apps that are vulnerable, or has contacted the
developers to insist they were updated.
But the findings are not surprising. After all, in June, NHS England was put under scrutiny for its review
criteria for the Health Apps Library. The criteria were
designed to provide a framework to assess those apps for suitability before
they're published for the public to download - but they had been labelled weak,
and furthermore it seemed as if some of the apps failed to meet even that low standard.
At the time, Phil Booth, co-ordinator at health privacy campaign group
medConfidential, described the review criteria as "very weak", and
added that his organisation had given feedback to NHS England on how some of
the apps could be improved, but that the advice appeared to have been ignored. For example the five step approval process
is heavily focused on ensuring the information the app supplies is from an
approved source and there appears to be little or no assessment of the apps
suitability to handle or transmit data securely.
"Unfortunately, not all of the apps currently in the library even
meet the criteria they supposedly should. And, despite having provided detailed
and specific feedback on a number of these apps using the provided feedback
forms on the relevant web pages SIX weeks ago, we have had no response - and
nothing appears to have changed on the site." At that time however a spokesperson from NHS
England went directly to denial mode and claimed that the newly published
report was out of date and that NHS Choices has improved slightly since it was
written. Well that’s okay then except for the fact nothing whatsoever has been
fixed.
The findings of the Imperial College London study suggest that NHS
England failed to take notice of medConfidential's advice. It is likely that the Health Apps
Library could be another major IT project fail for the NHS. It appears the NHS
is taking a purely reactive stance to ensuring the library contains secure
apps, as opposed to an eminently more sensible (considering what’s at stake) proactive
approach, and this may well lead to personal and health data getting into the
hands of criminals.
The NHS is just one amongst many organisations that needs to get up to speed
with the criminal reality that is todays cyber world.
No comments:
Post a Comment