Gioacchino Tangari,Muhammad Ikram,Kiran Ijaz,Mohamed Ali Kaafar,Shlomo Berkovsky

DOI: https://doi.org/10.1136/bmj.n1248

2021-06-16

BMJ

Abstract:Abstract Objectives To investigate whether and what user data are collected by health related mobile applications (mHealth apps), to characterise the privacy conduct of all the available mHealth apps on Google Play, and to gauge the associated risks to privacy. Design Cross sectional study Setting Health related apps developed for the Android mobile platform, available in the Google Play store in Australia and belonging to the medical and health and fitness categories. Participants Users of 20 991 mHealth apps (8074 medical and 12 917 health and fitness found in the Google Play store: in-depth analysis was done on 15 838 apps that did not require a download or subscription fee compared with 8468 baseline non-mHealth apps. Main outcome measures Primary outcomes were characterisation of the data collection operations in the apps code and of the data transmissions in the apps traffic; analysis of the primary recipients for each type of user data; presence of adverts and trackers in the app traffic; audit of the app privacy policy and compliance of the privacy conduct with the policy; and analysis of complaints in negative app reviews. Results 88.0% (n=18 472) of mHealth apps included code that could potentially collect user data. 3.9% (n=616) of apps transmitted user information in their traffic. Most data collection operations in apps code and data transmissions in apps traffic involved external service providers (third parties). The top 50 third parties were responsible for most of the data collection operations in app code and data transmissions in app traffic (68.0% (2140), collectively). 23.0% (724) of user data transmissions occurred on insecure communication protocols. 28.1% (5903) of apps provided no privacy policies, whereas 47.0% (1479) of user data transmissions complied with the privacy policy. 1.3% (3609) of user reviews raised concerns about privacy. Conclusions This analysis found serious problems with privacy and inconsistent privacy practices in mHealth apps. Clinicians should be aware of these and articulate them to patients when determining the benefits and risks of mHealth apps.

Ming Fan,Le Yu,Sen Chen,Hao Zhou,Xiapu Luo,Shuyue Li,Yang Liu,Jun Liu,Ting Liu

DOI: https://doi.org/10.1109/issre5003.2020.00032

2020-01-01

Abstract:The purpose of the General Data Protection Regulation (GDPR) is to provide improved privacy protection. If an app controls personal data from users, it needs to be compliant with GDPR. However, GDPR lists general rules rather than exact step-by-step guidelines about how to develop an app that fulfills the requirements. Therefore, there may exist GDPR compliance violations in existing apps, which would pose severe privacy threats to app users. In this paper, we take mobile health applications (mHealth apps) as a peephole to examine the status quo of GDPR compliance in Android apps. We first propose an automated system, named HPDROID, to bridge the semantic gap between the general rules of GDPR and the app implementations by identifying the data practices declared in the app privacy policy and the data relevant behaviors in the app code. Then, based on HPDROID, we detect three kinds of GDPR compliance violations, including the incompleteness of privacy policy, the inconsistency of data collections, and the insecurity of data transmission. We perform an empirical evaluation of 796 mHealth apps. The results reveal that 189 (23.7%) of them do not provide complete privacy policies. Moreover, 59 apps collect sensitive data through different measures, but 46 (77.9%) of them contain at least one inconsistent collection behavior. Even worse, among the 59 apps, only 8 apps try to ensure the transmission security of collected data. However, all of them contain at least one encryption or SSL misuse. Our work exposes severe privacy issues to raise awareness of privacy protection for app users and developers.

Ali Sunyaev,Tobias Dehling,Patrick L Taylor,Kenneth D Mandl

DOI: https://doi.org/10.1136/amiajnl-2013-002605

Abstract:Mobile health (mHealth) customers shopping for applications (apps) should be aware of app privacy practices so they can make informed decisions about purchase and use. We sought to assess the availability, scope, and transparency of mHealth app privacy policies on iOS and Android. Over 35,000 mHealth apps are available for iOS and Android. Of the 600 most commonly used apps, only 183 (30.5%) had privacy policies. Average policy length was 1755 (SD 1301) words with a reading grade level of 16 (SD 2.9). Two thirds (66.1%) of privacy policies did not specifically address the app itself. Our findings show that currently mHealth developers often fail to provide app privacy policies. The privacy policies that are available do not make information privacy practices transparent to users, require college-level literacy, and are often not focused on the app itself. Further research is warranted to address why privacy policies are often absent, opaque, or irrelevant, and to find a remedy.

Najd Alfawzan,Markus Christen,Giovanni Spitale,Nikola Biller-Andorno

DOI: https://doi.org/10.2196/33735

2022-05-06

Abstract:Background: Women's mobile health (mHealth) is a growing phenomenon in the mobile app global market. An increasing number of women worldwide use apps geared to female audiences (female technology). Given the often private and sensitive nature of the data collected by such apps, an ethical assessment from the perspective of data privacy, sharing, and security policies is warranted. Objective: The purpose of this scoping review and content analysis was to assess the privacy policies, data sharing, and security policies of women's mHealth apps on the current international market (the App Store on the Apple operating system [iOS] and Google Play on the Android system). Methods: We reviewed the 23 most popular women's mHealth apps on the market by focusing on publicly available apps on the App Store and Google Play. The 23 downloaded apps were assessed manually by 2 independent reviewers against a variety of user data privacy, data sharing, and security assessment criteria. Results: All 23 apps collected personal health-related data. All apps allowed behavioral tracking, and 61% (14/23) of the apps allowed location tracking. Of the 23 apps, only 16 (70%) displayed a privacy policy, 12 (52%) requested consent from users, and 1 (4%) had a pseudoconsent. In addition, 13% (3/23) of the apps collected data before obtaining consent. Most apps (20/23, 87%) shared user data with third parties, and data sharing information could not be obtained for the 13% (3/23) remaining apps. Of the 23 apps, only 13 (57%) provided users with information on data security. Conclusions: Many of the most popular women's mHealth apps on the market have poor data privacy, sharing, and security standards. Although regulations exist, such as the European Union General Data Protection Regulation, current practices do not follow them. The failure of the assessed women's mHealth apps to meet basic data privacy, sharing, and security standards is not ethically or legally acceptable.

Leonardo Horn Iwaya,M. Ali Babar,Awais Rashid,Chamila Wijayarathna

DOI: https://doi.org/10.1007/s10664-022-10236-0

2022-01-22

Abstract:An increasing number of mental health services are offered through mobile systems, a paradigm called mHealth. Although there is an unprecedented growth in the adoption of mHealth systems, partly due to the COVID-19 pandemic, concerns about data privacy risks due to security breaches are also increasing. Whilst some studies have analyzed mHealth apps from different angles, including security, there is relatively little evidence for data privacy issues that may exist in mHealth apps used for mental health services, whose recipients can be particularly vulnerable. This paper reports an empirical study aimed at systematically identifying and understanding data privacy incorporated in mental health apps. We analyzed 27 top-ranked mental health apps from Google Play Store. Our methodology enabled us to perform an in-depth privacy analysis of the apps, covering static and dynamic analysis, data sharing behaviour, server-side tests, privacy impact assessment requests, and privacy policy evaluation. Furthermore, we mapped the findings to the LINDDUN threat taxonomy, describing how threats manifest on the studied apps. The findings reveal important data privacy issues such as unnecessary permissions, insecure cryptography implementations, and leaks of personal data and credentials in logs and web requests. There is also a high risk of user profiling as the apps' development do not provide foolproof mechanisms against linkability, detectability and identifiability. Data sharing among third parties and advertisers in the current apps' ecosystem aggravates this situation. Based on the empirical findings of this study, we provide recommendations to be considered by different stakeholders of mHealth apps in general and apps developers in particular. [...]

Cryptography and Security,Computers and Society

Gioacchino Tangari,Muhammad Ikram,I Wayan Budi Sentana,Kiran Ijaz,Mohamed Ali Kaafar,Shlomo Berkovsky

DOI: https://doi.org/10.1093/jamia/ocab131

2021-09-18

Abstract:Objective: We conduct a first large-scale analysis of mobile health (mHealth) apps available on Google Play with the goal of providing a comprehensive view of mHealth apps' security features and gauging the associated risks for mHealth users and their data. Materials and methods: We designed an app collection platform that discovered and downloaded more than 20 000 mHealth apps from the Medical and Health & Fitness categories on Google Play. We performed a suite of app code and traffic measurements to highlight a range of app security flaws: certificate security, sensitive or unnecessary permission requests, malware presence, communication security, and security-related concerns raised in user reviews. Results: Compared to baseline non-mHealth apps, mHealth apps generally adopt more reliable signing mechanisms and request fewer dangerous permissions. However, significant fractions of mHealth apps expose users to serious security risks. Specifically, 1.8% of mHealth apps package suspicious codes (eg, trojans), 45.0% rely on unencrypted communication, and as much as 23.0% of personal data (eg, location information and passwords) is sent on unsecured traffic. An analysis of the app reviews reveals that mHealth app users are largely unaware of the surfaced security issues. Conclusion: Despite being better aligned with security best practices than non-mHealth apps, mHealth apps are still far from ensuring robust security guarantees. App users, clinicians, technology developers, and policy makers alike should be cognizant of the uncovered security issues and weigh them carefully against the benefits of mHealth apps.

Zhenni Ni,Yiying Wang,Yuxing Qian

DOI: https://doi.org/10.2196/23409

2021-01-28

JMIR mhealth and uhealth

Abstract:Background With the development of mobile health (mHealth), chronic disease management apps have brought not only the possibility of reducing the burden of chronic diseases but also huge privacy risks to patients’ health data. Objective The purpose of the study was to analyze the extent to which chronic disease management apps in China comply with the Personal Information Security Specification (PI Specification). Methods The compliance of 45 popular chronic disease management apps was evaluated from the perspective of the information life cycle. To conduct a fine-grained evaluation, a scale based on the PI Specification was developed. Finally, 6 level 1 indicators, 22 level 2 indicators, and 61 level 3 indicators were defined. Results There were 33/45 apps (73%) with a privacy policy, and the average score of these apps was 40.4 out of 100. Items of level 1 indicators with high scores included general characteristics (mean 51.9% [SD 28.1%]), information collection and use (mean 51.1% [SD 36.7%]), and information sharing and transfer (mean 50.3% [SD 33.5%]). Information storage and protection had the lowest compliance with PI Specification (mean 29.4% [SD 32.4%]). Few personal information (PI) controllers have stated how to handle security incidents, including security incident reporting (7/33, 21%), security incident notification (10/33, 30%), and commitment to bear corresponding legal responsibility for PI security incidents (1/33, 3%). The performance of apps in the stage of information destruction (mean 31.8% [SD 40.0%]) was poor, and only 21% (7/33) apps would notify third parties to promptly delete PI after individuals cancelled their accounts. Moreover, the scoring rate for rights of PI subjects is generally low (mean 31.2% [SD 35.5%]), especially for obtaining copies of PI (15%) and responding to requests (25%). Conclusions Although most chronic disease management apps had a privacy policy, the total compliance rate of the policy content was low, especially in the stage of information storage and protection. Thus, the field has a long way to go with regard to compliance around personal privacy protection in China.

health care sciences & services,medical informatics

Borja Martínez-Pérez,Isabel de la Torre-Díez,Miguel López-Coronado

DOI: https://doi.org/10.1007/s10916-014-0181-3

IF: 4.92

2014-12-07

Journal of Medical Systems

Abstract:In a world where the industry of mobile applications is continuously expanding and new health care apps and devices are created every day, it is important to take special care of the collection and treatment of users’ personal health information. However, the appropriate methods to do this are not usually taken into account by apps designers and insecure applications are released. This paper presents a study of security and privacy in mHealth, focusing on three parts: a study of the existing laws regulating these aspects in the European Union and the United States, a review of the academic literature related to this topic, and a proposal of some recommendations for designers in order to create mobile health applications that satisfy the current security and privacy legislation. This paper will complement other standards and certifications about security and privacy and will suppose a quick guide for apps designers, developers and researchers.

health care sciences & services,medical informatics

Leming Zhou,Jie Bao,Valerie Watzlaf,Bambang Parmanto

DOI: https://doi.org/10.2196/11223

2019-04-16

Abstract:Background: A large number of mobile health (mHealth) apps have been created to help users to manage their health or receive health care services. Many of these mHealth apps have proven to be helpful for maintaining or improving their users' health. However, many people still choose not to use mHealth apps or only use them for a short period. One of the reasons behind this lack of use is the concern for their health information security and privacy. Objective: The goal of this study was to determine the relationship between users' characteristics and their security and privacy concerns and to identify desired security features in mHealth apps, which could reduce these concerns. Methods: A questionnaire was designed and validated by the research team. This questionnaire was then used to determine mobile app users' security and privacy concerns regarding personal health data in mHealth apps as well as the security features most users' desire. A semistructured interview was used to identify barriers to and facilitators of adopting mHealth apps. Results: In total, 117 randomly selected study participants from a large pool took part in this study and provided responses to the validated questionnaire and the semistructured interview questions. The results indicate that most study participants did have concerns about their privacy when using mHealth apps. They also expressed their preferences regarding several security features in mHealth apps, such as regular password updates, remote wipe, user consent, and access control. An association between their demographic characteristics and their concerns and preferences in security and privacy was identified; however, in most cases, the differences among the different demographic groups were not statistically significant, except for a few very specific aspects. These study participants also indicated that the cost of apps and lack of security features in mHealth apps were barriers for adoption, whereas having free apps, strong but easy-to-use security features, and clear user protection privacy policies might encourage them to use mHealth apps in their health management. Conclusions: This questionnaire and interview study verified the security and privacy concerns of mHealth app users, identified the desired security and privacy features, and determined specific barriers to and facilitators of users adopting mHealth apps. The results can be used to guide mHealth app developers to create apps that would be welcomed by users.

Muhammad Hassan,Mahnoor Jameel,Tian Wang,Masooda Bashir

DOI: https://doi.org/10.48550/arXiv.2310.14490

IF: 6.4588

2023-10-23

Human-Computer Interaction

Abstract:FemTech or Female Technology, is an expanding field dedicated to providing affordable and accessible healthcare solutions for women, prominently through Female Health Applications that monitor health and reproductive data. With the leading app exceeding 1 billion downloads, these applications are gaining widespread popularity. However, amidst contemporary challenges to women's reproductive rights and privacy, there is a noticeable lack of comprehensive studies on the security and privacy aspects of these applications. This exploratory study delves into the privacy risks associated with seven popular applications. Our initial quantitative static analysis reveals varied and potentially risky permissions and numerous third-party trackers. Additionally, a preliminary examination of privacy policies indicates non-compliance with fundamental data privacy principles. These early findings highlight a critical gap in establishing robust privacy and security safeguards for FemTech apps, especially significant in a climate where women's reproductive rights face escalating threats.

Thomas Cory,Wolf Rieder,Thu-My Huynh

2024-05-28

Abstract:Mobile Health (mHealth) applications have become a crucial part of health monitoring and management. However, the proliferation of these applications has also raised concerns over the privacy and security of Personally Identifiable Information and Protected Health Information. Addressing these concerns, this paper introduces a novel framework for the qualitative evaluation of privacy practices in mHealth apps, particularly focusing on the handling and transmission of sensitive user data. Our investigation encompasses an analysis of 152 leading mHealth apps on the Android platform, leveraging the proposed framework to provide a multifaceted view of their data processing activities. Despite stringent regulations like the General Data Protection Regulation in the European Union and the Health Insurance Portability and Accountability Act in the United States, our findings indicate persistent issues with negligence and misuse of sensitive user information. We uncover significant instances of health information leakage to third-party trackers and a widespread neglect of privacy-by-design and transparency principles. Our research underscores the critical need for stricter enforcement of data protection laws and sets a foundation for future efforts aimed at enhancing user privacy within the mHealth ecosystem.

Computers and Society

Saka Suleiman,Sanchari Das

2024-10-19

Abstract:The widespread adoption of telehealth systems has led to a significant increase in the use of healthcare apps among older adults, but this rapid growth has also heightened concerns about the privacy of their health information. While HIPAA in the US and GDPR in the EU establish essential privacy protections for health information, limited research exists on the effectiveness of healthcare app privacy policies, particularly those used predominantly by older adults. To address this, we evaluated 28 healthcare apps across multiple dimensions, including regulatory compliance, data handling practices, and privacy-focused usability. To do this, we created a Privacy Risk Assessment Framework (PRAF) and used it to evaluate the privacy risks associated with these healthcare apps designed for older adults. Our analysis revealed significant gaps in compliance with privacy standards to such, only 25% of apps explicitly state compliance with HIPAA, and only 18% mention GDPR. Surprisingly, 79% of these applications lack breach protocols, putting older adults at risk in the event of a data breach.

Cryptography and Security,Computers and Society

Jiayi Jiang,Zexing Zheng

DOI: https://doi.org/10.2196/55061

2024-06-22

JMIR mhealth and uhealth

Abstract:Background: Hospital apps are increasingly being adopted in many countries, especially since the start of the COVID-19 pandemic. Web-based hospitals can provide valuable medical services and enhanced accessibility. However, increasing concerns about personal information (PI) and strict legal compliance requirements necessitate privacy assessments for these platforms. Guided by the theory of contextual integrity, this study investigates the regulatory compliance of privacy policies for internet hospital apps in the mainland of China. Objective: In this paper, we aim to evaluate the regulatory compliance of privacy policies of internet hospital apps in the mainland of China and offer recommendations for improvement. Methods: We obtained 59 internet hospital apps on November 7, 2023, and reviewed 52 privacy policies available between November 8 and 23, 2023. We developed a 3-level indicator scale based on the information processing activities, as stipulated in relevant regulations. The scale comprised 7 level-1 indicators, 26 level-2 indicators, and 70 level-3 indicators. Results: The mean compliance score of the 52 assessed apps was 73/100 (SD 22.4%), revealing a varied spectrum of compliance. Sensitive PI protection compliance (mean 73.9%, SD 24.2%) lagged behind general PI protection (mean 90.4%, SD 14.7%), with only 12 apps requiring separate consent for processing sensitive PI (mean 73.9%, SD 24.2%). Although most apps (n=41, 79%) committed to supervising subcontractors, only a quarter (n=13, 25%) required users' explicit consent for subcontracting activities. Concerning PI storage security (mean 71.2%, SD 29.3%) and incident management (mean 71.8%, SD 36.6%), half of the assessed apps (n=27, 52%) committed to bear corresponding legal responsibility, whereas fewer than half (n=24, 46%) specified the security level obtained. Most privacy policies stated the PI retention period (n=40, 77%) and instances of PI deletion or anonymization (n=41, 79%), but fewer (n=20, 38.5%) committed to prompt third-party PI deletion. Most apps delineated various individual rights, but only a fraction addressed the rights to obtain copies (n=22, 42%) or to refuse advertisement based on automated decision-making (n=13, 25%). Significant deficiencies remained in regular compliance audits (mean 11.5%, SD 37.8%), impact assessments (mean 13.5%, SD 15.2%), and PI officer disclosure (mean 48.1%, SD 49.3%). Conclusions: Our analysis revealed both strengths and significant shortcomings in the compliance of internet hospital apps' privacy policies with relevant regulations. As China continues to implement internet hospital apps, it should ensure the informed consent of users for PI processing activities, enhance compliance levels of relevant privacy policies, and fortify PI protection enforcement across the information processing stages.

health care sciences & services,medical informatics

Albin Forsberg,Leonardo Horn Iwaya

2024-09-27

Abstract:Mobile health applications (mHealth apps), particularly in the health and fitness category, have experienced an increase in popularity due to their convenience and availability. However, this widespread adoption raises concerns regarding the security of the user's data. In this study, we investigate the security vulnerabilities of ten top-ranked Android health and fitness apps, a set that accounts for 237 million downloads. We performed several static and dynamic security analyses using tools such as the Mobile Security Framework (MobSF) and Android emulators. We also checked the server's security levels with Qualys SSL, which allowed us to gain insights into the security posture of the servers communicating with the mHealth fitness apps. Our findings revealed many vulnerabilities, such as insecure coding, hardcoded sensitive information, over-privileged permissions, misconfiguration, and excessive communication with third-party domains. For instance, some apps store their database API key directly in the code while also exposing their database URL. We found insecure encryption methods in six apps, such as using AES with ECB mode. Two apps communicated with an alarming number of approximately 230 domains each, and a third app with over 100 domains, exacerbating privacy linkability threats. The study underscores the importance of continuous security assessments of top-ranked mHealth fitness apps to better understand the threat landscape and inform app developers.

Cryptography and Security

Jiayi Jiang,Zexing Zheng

DOI: https://doi.org/10.2196/48714

2023-11-14

JMIR mhealth and uhealth

Abstract:Abstract Background Digital technologies, especially contact tracing apps, have been crucial in monitoring and tracing the transmission of COVID-19 worldwide. China developed health code apps as an emergency response to the pandemic with plans to use them for broader public health services. However, potential problems within privacy policies may compromise personal information (PI) protection. Objective We aimed to evaluate the compliance of the privacy policies of 30 health code apps in the mainland of China with the Personal Information Protection Law (PIPL) and related specifications. Methods We reviewed and assessed the privacy policies of 30 health code apps between August 26 and September 6, 2023. We used a 3-level indicator scale based on the information life cycle as provided in the PIPL and related specifications. The scale comprised 7 level-1 indicators, 26 level-2 indicators, and 71 level-3 indicators. Results The mean compliance score of the 30 health code apps was 59.9% (SD 22.6%). A total of 13 (43.3%) apps scored below this average, and 6 apps scored below 40%. Level-1 indicator scores included the following: general attributes (mean 85.6%, SD 23.3%); PI collection and use (mean 66.2%, SD 22.7%); PI storage and protection (mean 63.3%, SD 30.8%); PI sharing, transfer, disclosure, and transmission (mean 57.2%, SD 27.3%); PI deletion (mean 52.2%, SD 29.4%); individual rights (mean 59.3%, SD 25.7%); and PI processor duties (mean 43.7%, SD 23.8%). Sensitive PI protection compliance (mean 51.4%, SD 26.0%) lagged behind general PI protection (mean 83.3%, SD 24.3%), with only 1 app requiring separate consent for sensitive PI processing. Additionally, 46.7% (n=14) of the apps needed separate consent for subcontracting activities, while fewer disclosed PI recipient information (n=13, 43.3%), safety precautions (n=11, 36.7%), and rules of PI transfer during specific events (n=10, 33.3%). Most privacy policies specified the PI retention period (n=23, 76.7%) and postperiod deletion or anonymization (n=22, 73.3%), but only 6.7% (n=2) were committed to prompt third-party PI deletion. Most apps delineated various individual rights: the right to inquire (n=25, 83.3%), correct (n=24, 80%), and delete PI (n=24, 80%); cancel their account (n=21, 70%); withdraw consent (n=20, 60%); and request privacy policy explanations (n=24, 80%). Only a fraction addressed the rights to obtain copies (n=4, 13.3%) or refuse advertisement of automated decision-making (n=1, 3.3%). The mean compliance rate of PI processor duties was only 43.7% (SD 23.8%), with significant deficiencies in impact assessments (mean 5.0%, SD 19.8%), PI protection officer appointment (mean 6.7%, SD 24.9%), regular compliance audits (mean 6.7%, SD 24.9%), and complaint management (mean 37.8%, SD 39.2%). Conclusions Our analysis revealed both strengths and significant shortcomings in the compliance of privacy policies of health code apps with the PIPL and related specifications considering the information life cycle. As China contemplates the future extended use of health code apps, it should articulate the legitimacy of the apps’ normalization and ensure that users provide informed consent. Meanwhile, China should raise the compliance level of relevant privacy policies and fortify its enforcement mechanisms.

health care sciences & services,medical informatics

Nada Farag,Alycia Noë,Dimitri Patrinos,Ma'n H Zawati

DOI: https://doi.org/10.1007/s41649-024-00296-3

2024-06-18

Abstract:More than 5 billion people in the world own a smartphone. More than half of these have been used to collect and process health-related data. As such, the existing volume of potentially exploitable health data is unprecedentedly large and growing rapidly. Mobile health applications (apps) on smartphones are some of the worst offenders and are increasingly being used for gathering and exchanging significant amounts of personal health data from the public. This data is often utilized for health research purposes and for algorithm training. While there are advantages to utilizing this data for expanding health knowledge, there are associated risks for the users of these apps, such as privacy concerns and the protection of their data. Consequently, gaining a deeper comprehension of how apps collect and crowdsource data is crucial. To explore how apps are crowdsourcing data and to identify potential ethical, legal, and social issues (ELSI), we conducted an examination of the Apple App Store and the Google Play Store in North America and Europe to identify apps that could potentially gather health data through crowdsourcing. Subsequently, we analyzed their privacy policies, terms of use, and other related documentation to gain insights into the utilization of users' data and the possibility of repurposing it for research or algorithm training purposes. More specifically, we reviewed privacy policies to identify clauses pertaining to the following key categories: research, data sharing, privacy/confidentiality, commercialization, and return of findings. Based on the results of these app search, we developed an App Atlas that presents apps which crowdsource data for research or algorithm training. We identified 46 apps available in the European and Canadian markets that either openly crowdsource health data for research or algorithm training or retain the legal or technical capability to do so. This app search showed an overall lack of consistency and transparency in privacy policies that poses challenges to user comprehensibility, trust, and informed consent. A significant proportion of applications presented contradictions or exhibited considerable ambiguity. For instance, the vast majority of privacy policies in the App Atlas contain ambiguous or contradictory language regarding the sharing of users' data with third parties. This raises a number of ethico-legal concerns which will require further academic and policy attention to ensure a balance between protecting individual interests and maximizing the scientific utility of crowdsourced data. This article represents a key first step in better understanding these concerns and bringing attention to this important issue. Supplementary information: The online version contains supplementary material available at 10.1007/s41649-024-00296-3.

Maged N Kamel Boulos,Ann C Brewer,Chante Karimkhani,David B Buller,Robert P Dellavalle

DOI: https://doi.org/10.5210/ojphi.v5i3.4814

2014-01-01

Online Journal of Public Health Informatics

Abstract:This paper examines the state of the art in mobile clinical and health-related apps. A 2012 estimate puts the number of health-related apps at no fewer than 40,000, as healthcare professionals and consumers continue to express concerns about the quality of many apps, calling for some form of app regulatory control or certification to be put in place. We describe the range of apps on offer as of 2013, and then present a brief survey of evaluation studies of medical and health-related apps that have been conducted to date, covering a range of clinical disciplines and topics. Our survey includes studies that highlighted risks, negative issues and worrying deficiencies in existing apps. We discuss the concept of 'apps as a medical device' and the relevant regulatory controls that apply in USA and Europe, offering examples of apps that have been formally approved using these mechanisms. We describe the online Health Apps Library run by the National Health Service in England and the calls for a vetted medical and health app store. We discuss the ingredients for successful apps beyond the rather narrow definition of 'apps as a medical device'. These ingredients cover app content quality, usability, the need to match apps to consumers' general and health literacy levels, device connectivity standards (for apps that connect to glucometers, blood pressure monitors, etc.), as well as app security and user privacy. 'Happtique Health App Certification Program' (HACP), a voluntary app certification scheme, successfully captures most of these desiderata, but is solely focused on apps targeting the US market. HACP, while very welcome, is in ways reminiscent of the early days of the Web, when many "similar" quality benchmarking tools and codes of conduct for information publishers were proposed to appraise and rate online medical and health information. It is probably impossible to rate and police every app on offer today, much like in those early days of the Web, when people quickly realised the same regarding informational Web pages. The best first line of defence was, is, and will always be to educate consumers regarding the potentially harmful content of (some) apps.

Bakheet Aljedaani,Aakash Ahmad,Mansooreh Zahedi,M. Ali Babar

DOI: https://doi.org/10.48550/arXiv.2101.10412

2021-01-25

Cryptography and Security

Abstract:Mobile health applications (mHealth apps for short) are being increasingly adopted in the healthcare sector, enabling stakeholders such as governments, health units, medics, and patients, to utilize health services in a pervasive manner. Despite having several known benefits, mHealth apps entail significant security and privacy challenges that can lead to data breaches with serious social, legal, and financial consequences. This research presents an empirical investigation about security awareness of end-users of mHealth apps that are available on major mobile platforms, including Android and iOS. We collaborated with two mHealth providers in Saudi Arabia to survey 101 end-users, investigating their security awareness about (i) existing and desired security features, (ii) security related issues, and (iii) methods to improve security knowledge. Findings indicate that majority of the end-users are aware of the existing security features provided by the apps (e.g., restricted app permissions); however, they desire usable security (e.g., biometric authentication) and are concerned about privacy of their health information (e.g., data anonymization). End-users suggested that protocols such as session timeout or Two-factor authentication (2FA) positively impact security but compromise usability of the app. Security-awareness via social media, peer guidance, or training from app providers can increase end-users trust in mHealth apps. This research investigates human-centric knowledge based on empirical evidence and provides a set of guidelines to develop secure and usable mHealth apps.

Eunsin Joo,Anastasia Kononova,Shaheen Kanthawala,Wei Peng,Shelia Cotten

DOI: https://doi.org/10.2196/16518

2021-04-13

JMIR mhealth and uhealth

Abstract:Background Persuasion knowledge, commonly referred to as advertising literacy, is a cognitive dimension that embraces recognition of advertising, its source and audience, and understanding of advertisers’ persuasive and selling intents as well as tactics. There is little understanding of users’ awareness of organizations that develop or sponsor mobile health (mHealth) apps, especially in light of personal data privacy. Persuasion knowledge or recognition of a supporting organization’s presence, characteristics, competencies, intents, and persuasion tactics are crucial to investigate because app users have the right to know about entities that support apps and make informed decisions about app usage. The abundance of free consumer mHealth apps, especially those in the area of fitness, often makes it difficult for users to identify apps’ dual purposes, which may be related to not only helping the public manage health but also promoting the supporting organization itself and collecting users’ information for further consumer targeting by third parties. Objective This study aims to investigate smartphone users’ awareness of mHealth apps’ affiliations with 3 different types of supporting organizations (commercial, government, and nonprofit); differences in users’ persuasion knowledge and mHealth app quality and credibility evaluations related to each of the 3 organization types; and users’ coping mechanisms for dealing with personal information management within consumer mHealth apps. Methods In-depth semistructured interviews were conducted with 25 smartphone users from a local community in midwestern United States. Interviews were thematically analyzed using inductive and deductive approaches. Results Participants indicated that their awareness of and interest in mHealth app–supporting organizations were secondary to the app’s health management functions. After being probed, participants showed a high level of persuasion knowledge regarding the types of app-supporting organizations and their promotional intents. They thought that commercial companies sponsored mHealth apps mostly as entertainment tools, whereas noncommercial entities sponsored mHealth apps for users’ education. They assigned self-promotional motives to commercial organizations; however, they associated commercial mHealth apps with good quality and functioning. Noncommercial entities were perceived as more credible. Participants were concerned about losing control over personal information within mHealth apps supported by different organizations. They used alternative digital identities to protect themselves from privacy invasion and advertising spam. They were willing to trade some personal information for high-quality commercial mHealth apps. There was a sense of fatalism in discussing privacy risks linked to mHealth app usage, and some participants did not perceive the risks to be serious. Conclusions The discussion of and recommendations for the safe and ethical use of mHealth apps associated with organizations’ promotional strategies and personal data protection are provided to ensure users’ awareness of and enhanced control over digitalized personal information flows. The theoretical implications are discussed in the context of the Persuasion Knowledge Model and dual-processing theories.

health care sciences & services,medical informatics

Yawen Xing,Huizhe Lu,Lifei Zhao,Shihua Cao

DOI: https://doi.org/10.1007/s11036-024-02299-8

2024-09-10

Mobile Networks and Applications

Abstract:Mobile Medical information systems MMIS or mHealth applications support personal health and potentially improve the health sector by offering a solution to significant problems faced by the healthcare system. While espousing these Mobile Medical Information Systems, sequestration and security issues arise. Due to advanced computing and different capabilities, data security and confidentiality come major enterprises with continuously expanding mHealth operations. European Union General Data Protection (GDPR) and California Consumer Sequestration Act (CCPA) raise mindfulness; still, they need to address developing a system that meets sequestration and security conditions. This paper deals with research literature to understand current privacy and security issues and possible solutions for patients and providers using mHealth applications. This is the reason for several threats, such as information harvesting, tracking patients, relaying attacks, and denial of service attacks, which affect the confidentiality and integrity of these devices. We discussed the challenges and risks associated with Mobile Medical information systems and emphasized the need to address these concerns for widespread adoption. Mitigation strategies include robust security measures, regulatory compliance, and user awareness. We discussed the impact of privacy and security issues on healthcare, including potential harm to patients and disruptions in system functioning, reviewing laws, conducting a literature review, and assessing mHealth system applications. We emphasize the need for comprehensive security measures and continuous evaluation of security practices in mHealth, which need to be addressed to achieve quality, continuity, and portability of health services. We offer a critical and methodical assessment of the state of the art in mHealth security and privacy and suggest a methodology for creating and executing MMIS that is safe and protects privacy.

computer science, information systems,telecommunications, hardware & architecture