Security and privacy of health apps

Tips to improve your safety and security around health apps

With new healthcare apps and devices being created every day, it's important to take care of how your personal health information is collected and used. On this page, you can learn about keeping yourself safe when using health apps.

Generally health apps are not covered by legal requirements to safeguard your data privacy and security, so you need to take steps to protect your personal information when using mobile health apps. On this page you will find information on:

How could your personal information be at risk?

Many health apps collect a range of personal information and have poor security. This means it's not always possible to control who accesses your data, when they access it, how they access it and whether you are informed about your data being accessed.
  • Your personal health data is unique, and includes personal information about you and your health.
  • If your personal health data is leaked someone might use it for their own gain. It could be used to cause you financial loss or harm to your reputation.
  • It is different from your financial data, which is better protected. For example, if your credit card number is stolen, you can block that number and have a new number issued.

Although apps may have a privacy policy that says they protect the privacy and confidentiality of your information, they may transmit that data unencrypted (not coded) and over unsecure network connections. This puts it at risk of being accessed by someone else. See What is a privacy policy? below.

Mobile applications, especially apps that you download for free, depend on advertising to make money. See Is your data being shared with a third party or advertiser? below.

Tips to improve your safety and security when using apps

  1. Research the app before installing it: research the app developer before you install the app. The app developers name is usually in the 'Read more' section of the app summary in the app stores. Check if the developers have a valid website and if they seem credible. Also look for user reviews and check if other people have complained about issues with security and privacy, including being pestered by third parties or advertisers. If in doubt, leave it out - do not download the app.   
  2. Read the privacy policy and terms of use: this should be listed in the App Store/Google Play Store and available before you download the app. Information about who your data is shared with should be made clear in the privacy policy. If you are not happy, don't use the app.
    Note that the existence of a privacy policy does not necessarily mean your data will be private. 
  3. Signing up: avoid signing up to apps with your Google or Facebook account. Your information could be shared through these parties. When signing up, do not use a name that identifies you - use a false name. Keep your personal email safe by creating a ‘junk’ email address which you only use for signing up online. Also, try to use apps without entering personal information, if that is allowed. 
  4. Be suspicious if an app asks for data that is not related to its main use, or if it asks you for permission to access functions on your mobile that seem unrelated. Decide if an app really needs access to your location, contacts, calendar, etc before you give it permission to access them.
  5. Sensitive information: avoid texting or emailing sensitive information unless you are using a secure system.
  6. Lock your phone with a PIN or password. If possible, set your phone to automatically lock when not in use.
  7. Don’t click on suspicious or unknown links or attachments: treat a mobile phone as you would your computer.
  8. Delete apps you are not using: if you stop using an app, delete it. If the app allows, delete your account and other data.
  9. Give feedback on the app developers especially if you’ve been pestered by third parties or advertisers.
  10. Tech savvy users: if you’re technically savvy, you may be able to view application logs or audit files to confirm that the app is doing what it says it is and not anything it shouldn’t be.  
  11. Use https instead of http: for web apps, try to use those that have the prefix https instead of http. The 's' in https means the connection between your device or browser and the remote system is encrypted (or coded), which helps to significantly reduce the risk of a third party ‘eavesdropping’ on your connection and stealing your data. 

More useful information

What is a privacy policy?

The privacy policy sets out how an app uses and protects any information that you give to the app owner while using the app. A clear privacy policy can tell you what permissions an app requires before you download it, such as geo-location, book, camera, phone call and contacts access. If you are not comfortable with an app that is asking for many permissions, you should avoid downloading it.

Is my data being shared with a third party or advertiser?

Mobile applications, especially apps that you download for free, depend on advertising to make money. They may share personally identifiable information about you with advertisers, or allow ad networks to track you. Almost all apps send non-personal data about how you use an app to data analytics services. If an app collects your universal device ID (UDID) or embeds a unique ID in the app, analytics data can be tracked back to you personally. 

Where is my data stored – on my device or in the cloud? 

The information your mobile app stores may be stored temporarily while it does its processing, or the data may be persistent, in order to build up a history.

  • Temporary data is usually stored on your device, either on the phone itself or on a removable media (SD) card. 
  • Often this temporary data will be associated with something an app can do, even when you’re not connected.
  • In many cases even though the app has used the data and no longer needs it, it will not delete the data. You can usually clean this up in your phone’s settings by clearing the cache.
  • Persistent data may also be stored on the phone itself or on an SD card connected to your phone. However, apps often also send data to the internet to be stored in the cloud. Once the data has left your phone, it may be impossible to control how it is shared and whether it can be deleted once it is no longer useful to you.

Learn more

The following resources have useful information on how to keep yourself and your family safe online.

New Zealand
Staying safe online – 2018 quick reference guide Advice, tips and how-to guides for social media, online shopping, safe search and more. Netsafe, NZ
How to improve your online privacy and security Netsafe, NZ
App guidance Privacy Commissioner, NZ
Need to know or nice to have - making app privacy your competitive advantage Privacy Commissioner, NZ
e-Learning privacy online New Zealand Privacy Commission 

Other
Security Tip - privacy and mobile device apps Cybersecurity and Infrastructure Security Agency (CISA), US
Understanding mobile apps Federal Trade Commission, US
Five ways you can stay smart online Australian Digital Health Agency
mHealth app guidelines Joint AMA/Xceria, US 
Mobile security Communications Security Establishment, Canada
Identity 101 Canadian Cyber Security Centre, Canada

References

  1. A deep dive into the privacy and security risks for health, wellness and medical apps iapp.org, 2015
  2. Security and privacy analysis of mobile health applications: the alarming state of practice IEEE Access, 2018
  3. Security and privacy issues related to the use of mobile health apps Australasian Conference on Information Systems, 2014
  4. Mobile health applications put millions of users’ privacy and security at risk, researchers find Cost, Australia, 2018

Did you find this information useful?

Credits: Health Navigator Editorial Team. Reviewed By: Alan Holmes, Domain architect, HealthAlliance Last reviewed: 25 Aug 2018