A new study published in the British Medical Journal found the sharing of user data from health-related mobile apps on the Android platform was routine and yet far from transparent. Lead author Dr Quinn Grundy said health apps were a “booming market”, but one with many privacy failings. The study follows a recent report from the Wall Street Journal which found several apps, including period tracker Flo Health, were sending sensitive user data – including weight, blood pressure and ovulation status – to Facebook.
Commenting on the news are the following security professionals:
Lamar Bailey, Director of Security Research and Development at Tripwire:
“Although it is well known and documented that apps use customers’ data as a currency, it is particularly troubling when that data includes sensitive information such as medical records and health metrics. The wealth of information that health apps collect and store can be an appealing target for cybercriminals. It is paramount that these apps clearly state in their registration process if they plan to divulge their customers’ information to third parties, so that subscribers are able to opt out. All too often these terms on usage are buried in the user agreement and the only way to opt out is to not use the app.”
Warren Poschman, Senior Solution Architect at comforte AG:
“In today’s data-driven economy, sharing and selling data is a reality and one that won’t likely change despite any amount of regulation. What’s key though is how these companies secure that data and maintain our privacy. Though that seems at odds with sharing and selling data, if done properly it can coexist. Companies that offer data need to share it anonymized but usable – and adopting a data-centric security model using technology like tokenization can do just that: the analytical value of the data isn’t affected even though it is anonymized. Want to know what meds I’m taking or what procedures I’ve had so it can be cross-referenced and insights gained, absolutely! Want to know that it was me specifically that takes that medication or has had those procedures, absolutely not! Regulatory bodies need to start ensuring that companies anonymize the data so that it can be safely used no matter where it travels to.”