A large number of mobile applications approved by the NHS have been found to leak data about their users, with some completely failing to encrypt patient information sent over the internet, an Imperial College study has found.
The study looked into the adequacy of data protection of software listed in the NHS Health Apps Library.
Launched in March 2013, the Library presents a curated list of apps patients and the public can use. Apps are intended to be suitable for professional recommendation to patients but are also available for general use without clinical support.
Failure to encrypt data
The study was carried out over a six month period, during which time 79 apps certified as “clinically safe” and “trustworthy” by the UK NHS Health Apps Library were assessed.
Out of those 79 applications, 89 per cent (70/79) relayed information to online services. None of those 70 apps encrypted the data stored locally.
Four apps sent both identifying and health information without encryption.
‘Systematic gaps in compliance’
The report said there were “systematic gaps in compliance with data protection principles in accredited health apps” which lead to a bigger question of “whether certification programs relying substantially on developer disclosures can provide a trusted resource for patients and clinicians”.
Two apps that used cloud technology had privacy vulnerabilities classified as ‘critical’. The report warns that such design flaws could be intentionally exploited to extract information about the users.
“As long as these vulnerabilities persist, the privacy of users is in jeopardy,” the report warned.