- As a part of a research project to improve mobile health security, industry experts have found that a majority of the top-rated mHealth apps are not encrypting health information.
In an investigation conducted by the Trustworthy Health and Wellness (THaW) project, sponsored by the National Science Foundation (NSF), researchers found that out of 22 randomly selected top mHealth apps, nearly 63 percent of them send unencrypted health data to various third-party storage services, such as the cloud. Additionally, nearly 81 percent of those apps used third-party cloud storage.
This project is just one piece of THaW’s research. The project recently came together through $10 million in NSF funding over a 5-year grant period, according to an NSF statement. The overall goal of this project is to investigate security issues in mobile health, including mHealth apps, healthcare devices, and wearable devices.
"Mobile medical applications offer tremendous opportunities to improve quality and access to care, reduce costs and improve individual wellness and public health," said research team leader David Kotz, who is also a computer science professor at Dartmouth College.
"However, these new technologies, whether in the form of software for smartphones or specialized devices to be worn, carried or applied as needed, may also pose risks if they are not designed or configured with security and privacy in mind.”
THaW will conduct its research by consulting with various different tech industry experts, including those in computer science, business, behavioral health, health policy, and health IT. These experts hail from Dartmouth College, Johns Hopkins University, the University of Illinois Urbana-Champaign, the University of Michigan, and Vanderbilt University.
The research team is thus far finding that many of the mHealth app security concerns will be challenging to resolve. The reasons for this are twofold. First, the storage of health information on mobile apps is typically outside of HIPAA regulations. Therefore, there are no government mandates requiring mHealth app developers to take certain security measures.
Second, to fix these security lapses, both health IT security professionals and app developers will need to work collaboratively to create a solution that would preserve the effectiveness of the app while still calling for adequate data security.
"These issues need attention and are not easily fixable because they require extra effort and security expertise from developers and computational capabilities from platforms," the research team explained. "Steps should be made to encourage mHealth app vendors to assure encrypted network links for communications and the use of third-party storage only when adequate security and privacy guarantees are obtained."
The research team has also looked into healthcare technology security at the healthcare facility level. For example, physician work stations may be vulnerable to security lapses.
The THaW researchers found that although work stations may be convenient because they allow physicians to enter notes without returning to their offices, they are cumbersome because physicians need to enter and re-enter their login credentials while remembering to log out regularly.
Because this task can tend to be repetitive and arduous, many physicians neglect to log out. The THaW research team is looking into other login credentials that may be easier and more user-friendly to alleviate this problem.
For example, one graduate student on the research team, Shrirang Mare, developed a mechanism for smartwatches or fitness bands to detect wrist movements which would indicate whether a user was logged in or finished with his or her work.
"The smartwatch monitors the continued presence of a user on a terminal when the user is interacting with it and can detect if someone else starts using the terminal," Mare says. "This allows the system to secure the user's session by logging out the user when they are not near the machine or when someone else tries to use terminal."
Other solutions include mouse actions or key tapping, which are quick and easy methods for logging in and out of systems.
Both this project and the one regarding mHealth apps are part of THaW’s larger mission to create a larger breadth of research on mobile health security. Members of the research team note that although health IT holds many positive solutions in healthcare delivery, there is inadequate research to help developers create safe products that facilitate security.
"THaW research is identifying gaps in security and providing practical security solutions," Kotz says. "We are developing novel methods for security and privacy, so we can help usher in an era of effective and secure mHealth solutions."