Welcome to The Wild West, That No One Talks About
Security and privacy go hand in hand; it would be almost impossible to find anything with major privacy concerns that is secure and vice versa. Healthcare, in theory, should be the best of both worlds, private and secure. "Should" being the key word, healthcare mobile applications are basically like the wild west, anything goes. For example, if someone steals your private information from a healthcare provider, it's a security breach. If you type something into a health application and it's sold, then it's just business.
Not A HIPAA Problem
If you think the Health Insurance Portability and Accountability Act (HIPAA) covers your information, then you're most likely wrong. HIPAA only applies to applications under covered entities such as physicians, hospitals, health plans, and whether it will include any protected health information: individually identifiable information about health, health care services, or payment for health care services. The rest of the information is fair game. Even if your information is included under HIPAA, there are millions of healthcare applications, so tight regulations and investigations are most likely out of the question.
Security Optional
Now, let's get into actual security. If you are typing something into a health application, you assume that it is safe. Unfortunately, you are probably wrong. According to a recent report by Arxan, 90% (126 apps were included in the research) of the most popular health and financial applications contain major flaws that could send your information straight to criminals, or even force critical health apps to malfunction. In a world where health records sell for ten times more than credit card numbers, you can bet that your information is a hot commodity. Unsurprisingly, even US Food and Drug Administration approved health apps were among the vulnerable, so counting on the government to keep your information safe is not the best bet.
Some companies, such as Apple, have taken proactive steps to protect consumers. In 2014, Apple changed its privacy policy to stop apps on the HealthKit platform from selling data to marketers and brokers. Applications not included on the HealthKit platform, are not part of the agreement, meaning your information is up for grabs.
Worst Offenders
In 2014, researchers from the Massachusetts Institute of Technology (MIT), Harvard, and Carnegie-Mellon put together a list of the apps that share user information with third-party websites. Researchers tested more than 100 free apps- divided equally between Android and iOS platforms to determine which ones share the most information.
In Android devices, researchers found that health and fitness applications share the most sensitive information. Map My Walk, MyFitnessPal, and Drugs.com sent sensitive information to four or more third party domains.
In iOS devices; Urgent Care, Walgreens, Map My Run, and Nike+ Running sent sensitive information to four or more third party domains.
What Now?
The wild west of health applications is just part of a bigger cybersecurity problem. There are not enough regulations and too much money to be made to expect any big changes in the near future. The best thing for a consumer to remember is that applications are not free, you either pay with cash or data.
