Health and fitness apps have changed the way we exercise, eat, and even sleep. Hundreds of thousands of these diverse apps exist — more than 165,000 at last count.
While these apps are serious about counting our calories, and tracking our sleep cycles, very few of them take security as seriously as they should. An incredible 90% of mobile health apps have seriously risky security vulnerabilities. Given the wealth of valuable health and personal information these apps can contain, this is troubling — the app that’s smart enough to count users’ steps, or remind them to take their blood pressure meds, may be leaving these users (and their personal information) vulnerable to hackers.
If that wasn’t enough, a study from the Future of Privacy Forum found that only 60% of health and fitness apps had privacy policies; compared to 76% of general apps.
What implications does this have for those of us developing health and fitness apps for a loyal and trusting user base? Are we putting consumers in danger if they use our apps to keep a food log or monitor their REM sleep cycles? How can we keep our customers’ information safe and private, while still offering top-notch digital tools for their fitness and wellbeing?
The Risks of Using Health and Fitness Apps
To illustrate the risks an end user may face in utilizing health and fitness apps, consider the example of Glow.
Glow is a period and fertility tracker app. Like many health apps, it asks users for sensitive personal information — including details of their menstrual cycle, and information about weight, medications, history of abortions, and more.
When Consumer Reports tested the app’s security and privacy features, it found a number of vulnerabilities. Some of these vulnerabilities provided openings for hackers to access passwords and email addresses, and one particular flaw that could have allowed “someone with no hacking skills at all” to retrieve a user’s personal information. Imagine the implications for stalkers, online bullies, or even identity thieves to use this information to harm Glow users.
Glow has since fixed the security issues, and didn’t find any evidence to suggest the app had been compromised (thankfully). It stands as a cautionary tale, highlighting the security and privacy issues posed by many health and fitness apps that ask for personal details of users’ lives. Imagine if one person — just one — had fallen victim to identity theft because of Glow’s security oversight. It only takes one vulnerability, one hacker, and one unfortunate user’s information compromised for your app to quickly lose consumer trust and credibility.
Security Issues
Glow is far from the only app to have vulnerabilities — in fact, these types of security flaws are more the norm than the exception. Incredibly, more than 80% of health apps are vulnerable to at least two of the top 10 mobile risks. This includes apps approved by the US Food & Drug Administration (FDA).
To end users, it may seem shocking that so many apps dedicated to user wellbeing are lacking in personal security. But for the developers building these apps, the fact that half of all companies have no budget for mobile app security comes as no surprise. Developers have long been dealing with the pressures of producing a functional product on a deadline, without adequate time or budget dedicated to making it secure. It gets worse when taking into account that nearly 12 million mobile devices are infected with malicious code at any given moment.
When Veracode surveyed 200 healthcare IT executives, they said their top fear related to a security breach was the potential for loss of life. Depending on the health app and the nature of the cyberattack, this is not a totally unreasonable concern.
Privacy Issues
Surprisingly, paid health apps are often worse than free apps at offering privacy policies, according to the Future of Privacy Forum. Their researchers found only 66% of sleep-tracking apps had privacy policies. Period and fertility trackers were better, with 80% offering privacy policies. However, even when apps had privacy policies, they did not always link to them in the app store. This makes it difficult for users to even find their privacy policies, much less read and understand them.
The absence of a privacy policy should be a red flag to both users and developers — without one, you indicate to your consumers that there are no restrictions on how your company will use their data, and no guarantee that it will be kept private. Many health apps sell their data, usually to marketers — a huge turn-off for most consumers.
More and more users are learning that even a classic “we won’t sell your information” clause in an app’s privacy policy is no guarantee of privacy. Transferring information between partners, trading assets, and other actions aren’t always considered “selling.”
If that wasn’t enough, there are concerns that health insurance companies can get their hands on app data, and adjust premiums accordingly. A 2013 study found top fitness apps, including WebMD and iPeriod, transmitted information to as many as 70 different third-party companies. Not every app anonymized the information, and the study concluded there was a chance this data could find its way to pharmaceutical and insurance companies. Yikes.
How HIPAA Does — And Doesn’t — Protect Our Personal Information
Healthcare providers are governed by the Health Insurance Portability and Accountability Act (HIPAA), which provides data privacy and security provisions for safeguarding medical information. This means the information a person gives to his doctor and healthcare insurer is highly secure and private.
For apps, this is not always the case. It’s often unclear which apps are covered under HIPAA and which are not — but, most are not. Because app developers and marketers aren’t necessarily covered by HIPAA, few of them have stringent safeguards in place to keep personal information secure and private.
In the U.S., regulators are trying to keep up with the new world of mobile health. In 2013, a new HIPAA rule expanded the rights of individuals when it came to electronic health records (this policy does not affect app developers outside of the U.S.). This is a step in the right direction, but it doesn’t go far enough in protecting users of unsecured health and fitness apps. More regulation and precaution is needed from app developers themselves. When you produce and sell an app that collects personal data, you hold your users’ safety in your hands; and they trust you to protect that data. Developers have a responsibility to their consumers to take appropriate steps to make their apps secure.
Users will increasingly seek out apps that are HIPAA-compliant and have clear privacy policies on the use of personal data. As a group, consumers have enormous power to show app developers that they aren’t willing to fully engage with apps lacking privacy policies; and to show our government that HIPAA compliance matters in our mobile apps just as much as it matters in our doctor’s offices.
In terms of security, app developers would be wise to:
- Stay informed about the risks of developing apps that lack in security
- Assume responsibility for the privacy of the personal data that users submit to the app
- Follow the rules outlined in HIPAA if the app is associated with users’ health
Few people are likely to stop using their health and fitness apps anytime soon (what do you expect me to do, tally my daily steps on paper?). But as users become more informed of the risks of using these apps, developers lacking appropriate security and privacy will take a hit — both to their profits and consumer loyalty. If app developers are more informed about the risks to their users, they can focus efforts on making apps safer and more secure — and show their users that they don’t take this responsibility lightly.
Xuyen BowlesWith 20 years of experience in the enterprise space, Xuyen Bowles now oversees one of the most successful cyber security firms in San Diego, CA. Sentek Cyber (a division of Sentek Global) offers a wide array of cyber security protection from penetration testing, consultancy, training to advance threat detection. "It's not a matter of if, it's a matter of when." Ms. Bowles finds great gratification in helping companies ensure they are safe from data breach.
