Study gives health app developers a lesson on e-health security

Health applications are not well protected, and the problem originates at the design. With over 100,000 health applications on the market and an industry worth billions of dollars at stake, researchers at the University of Valladolid in Spain conducted a study reviewing health app information security and made recommendations to aid developers in protecting valuable and sensitive data. According to an article from Plataforma SINC, the risks associated with lax security are greater than theft. In some cases, weak protection of data can put the life of an app user on the line.


The study, which was published in the Journal of Medical Systems, highlights the primary risk of health apps as being that “someone can hack into the personal medical information of another individual or, even worse, modify it.” It is the modification of health data that strays from traditional concerns about electronic health records (EHR), Health Information Technology (HIT), and medical data security. The study illustrates the risk by describing a hypothetical scenario where a third party accesses information stored by a health app and changes patient information. For example, the authors warn, a third party could delete  information about a patient’s allergy to a certain medication, thereby putting the patient/app user at risk.

Of course, health information is also valuable and therefore always at risk of theft as a result of its economic worth. The Anthem Inc. security breach in February 2015 revealed the stakes of health data security, when 80 million patients had their personal health information compromised in what may have been the largest health care related data breach in history. The researchers caution that apps are not exempt from such a fate.

Holes in the web

The researchers suggest that part of the problem is that the professionals and patients who utilize health apps are not well informed about the nature of the systems they are using. Many patients operate under a misconception that data in a health app is secure, and others are uninterested in even considering the security of the information. The analysis suggests that the problem might be, in part, a legal or regulatory one. Borja Martínez, researcher in the Telemedicine and eHealth Group at the University of Valladolid, told SINC that one solution would be international laws to require monitoring of the growing network of health apps. The review criticizes the age of the dominant health security laws: the EU Data Protection Directive (95/46/EC) and the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191), which date to 1995 and 1996, respectively.


The thesis of the University of Valladolid review is that adequate data protection can be achieved if developers analyze the types of data utilized by a particular app and then develop appropriate data and security measures within the app to shield that information from vulnerabilities.  For example, if a particular health app does not deal with patient information, then patient-related security concerns do not arise for that app developer. Part of the problem is the haste with which apps are designed and launched. The review recommends that developers consider privacy and security long before their apps hit the market.


The study includes several recommendations for developers on issues related to: user access control, identity authentication, encryption, privacy policies, data transfer, data retention, communication with sensors used in the body, and alerts for security lapses. The stakes are high, and regulatory agencies have taken notice. For example, in November 2014, the L.A. Times reported that Apple was in talks with the Federal Trade Commission related to security issues surrounding the company’s HealthKit platform—a product that comes installed on Apple’s iPhones. As apps become more prevalent, the security issues grow alongside. While there isn’t a one-size-fits-all solution, the recommendation made by the University of Valladolid’s researchers serves as a starting place for developers.