Mobile Health Information: Secure or a Joke?

Posted on by Joshua Marpet

Mobile_healthAndroid and iOS offer medical apps that can collect a user's health information and store it on his mobile device. But between the threat of malware and sharing user data across apps, is that information secure?

Health Information Direct to Your Phone

There are mobile health apps that can take your heartbeat, just like a single-lead ECG. These apps can interface with exercise gear, such as chest-strap heart monitors that joggers frequently wear and even insulin pumps and glucose meters that diabetics use. But serious questions remain: Do these apps need to be HIPAA compliant? Do their privacy policies allow them to share the information with "Big Pharma" companies? Can anyone with a modicum of technical skill steal health information off a smartphone? And does carrying around an on-demand EKG voluntarily outweigh the informational risks?

Some hackers can unlock a car door or even stop an insulin pump or pacemaker by using wireless hacking techniques. There are several medical technologies that can potentially be abused, with devastating effects on patients. But hacking is not the only attack vector. What if an Android app includes malware which looks for medical data in other applications? What if the app's permissions—which most people click through without even reading—allow the app to collect medical data already stored by other apps on the device? Do things change if one of those apps is from an insurance company? It may seem convenient to store a copy of your insurance card, but that app may be able to collect medical data from your insulin pump app and your heart monitor app. Having access to information from the two other apps could be useful, too, for the insurance company. The company can use the data to determine your insurance premiums and to check payment levels.

If the app is accessing health information, the chance of informational breaches, and risk people's health, is possible. It is a good idea for health apps to conduct a simple code review in order to avoid breakage or disruption of service, even if malware is left out of the equation.

Only the Beginning for Medical Apps

The medical field is pretty heavily invested in apps and interested in information about app usage, as evidenced by Apple's HealthKit framework and Microsoft's HealthVault, which has actually been out since 2007. Mobile health information is a burgeoning field, and the associated apps are getting increasingly slick and useful. They're also becoming integrated with other apps, from other developers, in personal health record frameworks. This integration renders them more useful, and they do a better job of keeping the patient engaged. But if an application can put data into a "health vault" or "health kit," it is often also allowed to use and integrate that data into the app dashboard or display.

Between the threat of malware and apps sharing user information, the security and professionalism of app development needs to be ramped up, especially as mobile health apps continue to gain popularity.

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community