Risks Abound for mHealth Apps
The three major risk categories for mHealth apps are poor design, device vulnerabilities and user habits.
When it comes to an app’s design, developers may not take the appropriate steps to ensure data security at all levels, including the device, the network and the data center. A HealthGlobal study found that more than 80 percent of apps tracking COVID-19 infections leak data, and more than 70 percent of medical apps tested have at least one high-level security vulnerability.
Second, the device itself can pose a risk. Smartphones may be stolen or subject to unauthorized use.
Users represent a third type of risk: If they share passwords, or mix personal and work use, users increase security risks. Many smartphone users say they are worried about privacy, but their careless behavior often belies such concerns, resulting in a “privacy paradox.” Unfortunately, people often make poor privacy and security decisions.
Breaking Down the Anatomy of a Secure mHealth App
How can healthcare organizations build a secure mHealth app that puts security, privacy and compliance first? Start with the key factors that all mHealth apps should consider: authentication, privilege management, secure data storage and communication, compliance, and testing and installation:
- Authentication: Strong user password and authentication is among the most crucial security factors. Never store passwords in plaintext. Instead, salt and hash them for better encryption, and force users to reset forgotten passwords. Load login forms over HTTPS, and post to HTTPS. Implement multifactor authentication.
- Privilege Management: Implement the principle of least privilege, strictly assessing what permissions need to be granted to a program. If hackers eventually compromise an app, they will not be able to do anything beyond what the app normally does, such as elevate privileges to gain access to sensitive databases.
- Secure Data Storage and Communication: Whenever possible, avoid storing sensitive data on the device or in backups. Protect sensitive information stored in files by using strong encryption, and evaluate whether something stronger than native encryption on iOS or Android is needed. Implement secure network transmission of sensitive data.
- Compliance: HIPAA is the most pertinent regulation, with clear guidelines regarding the use of confidential credentials, mandatory encryption, authentication and other factors. However, other regulations — such as the European Union’s General Data Protection Regulation, the California Consumer Privacy Act and the Children’s Online Privacy Protection Act — often come into play and may bring additional requirements. Keep in mind that if the app facilitates the diagnosis, treatment, cure or mitigation of a health problem, it may need clearance from the U.S. Food and Drug Administration as well.
- Testing and Publication: Thorough testing involves a variety of steps, but with mHealth apps, it is critical to ensure the code is free from malware and any recognized vulnerability such as those publicly disclosed as Common Vulnerabilities and Exposures. Once the app is tested, it should be available only in sanctioned app stores. The Apple App Store and Google Play Store can monitor and vet apps for security features before and after they are made available for download. This reduces the risk of a user installing a potentially harmful app.
Look to freely available sources for guidelines to ensure apps are built with security, privacy and compliance in mind. There are recommendations for general coding practices (such as code complexity and obfuscation), the use of anti-tamper mechanisms and robust transfer protocols, testing third-party libraries, and much more.
Click the banner below to discover the top health tech trends for 2022.