The NHS has been forced to remove several apps from their Health Apps Library after researchers determined that they did not adequately protect the user’s personal data. The study, conducted at Imperial College London, found that a large number of NHS apps failed to meet basic standards of clinical and data safety. Despite being vetted, and passed for clinical and personal use, the apps did not encrypt the user’s personal information, putting them at a greater risk for fraud and identity theft. The offending apps have since been removed from the library, but the discovery is more than a little bit embarrassing for the NHS, particularly coming so soon after Health Secretary Jeremy Hunt’s announcement that he wants to get more than a quarter of a million UK smartphone owners using apps to access NHS advice and services.
Discovering the Leak
A research team at Imperial College London looked at 79 different apps offered through the NHS library. They primarily focused on some of the more popular apps designed to help people stop smoking, lose weight, and generally improve their over all health and well being. Over the course of six months, the team routinely fed the apps false data which they could then track to assess how the software handled the information. Of the 79 apps tested, 70 sent personal data to associated online services, with 23 failing to encrypt it in any way. Most of the data gathered and shared centered around the user’s phone and identity, but four of the apps were found to be sending both personal and medical information, again with out any form of encryption whatsoever. If intercepted, that data could potentially be used for identity theft and fraud.
The Future of NHS Apps
Kit Huckvale, a PhD student and co-author of the study, says that the NHS needs to work harder on testing their apps. As he told the BBC, “The study is a signal and an opportunity to address this because the NHS would like to see strategic investment in apps to support people in the future. We will see them used more often and become much more complex over time.” Indeed, the NHS has recently launched trials of new apps aimed at sufferers of diabetes, depression and anxiety, and with Jeremy Hunt pushing for a greater investment in healthcare related apps in the future the problems of privacy and security take on a new importance. Many medical billing websites has confirmed that the offending apps have either been updated or removed from the library entirely, with a spokesperson adding that “a new, more thorough NHS endorsement model for apps has begun piloting this month”.
Protecting Your Privacy
While the lack of security in NHS apps is certainly disturbing, there is no indication that any users have so far had their personal or medical data compromised. Still, it points out the importance of having better security checks in place, particularly considering the highly sensitive nature of medical information. As Huckvale puts it, “We know from recent high-profile data thefts that these kinds of things can happen. There’s no reason that health apps shouldn’t be using industry standard methods to protect data.” He advice for the public is to double check privacy policies on all apps, and when in doubt to contact the developers directly. He also suggests that users treat health apps “like a random website you’ve encountered. Just as you wouldn’t start entering your data into a website without knowing a bit about it, you shouldn’t assume that an app is secure”.
NHS England has been quick to respond to the findings of the Imperial College’s research, updating or removing any affected apps. They assure the public that moving forward all apps available through the Health Apps Library will be rigorously tested and vetted, with a renewed emphasis on protecting the public’s privacy and security. But the issues with the NHS apps should be instructive. We all tend to assume a certain level of security when using our apps, particularly when they are provided by a ‘trusted’ source. But any app’s security is only as good as the developer designing the software, and shortcuts are often taken that can put a user’s personal data at risk. If nothing else, NHS’ troubles should remind us all the importance of researching the security of the apps we download, before we entrust them with highly sensitive data.