Health Informatics & Analytics Literature Update

Originally published in the August 2021 edition of the Tufts University Health Informatics & Analytics Newsletter

Security Issues of Android Mobile Health and Medical Applications

By Eden Shaveet

In a new paper published in the Journal of the American Medical Informatics Association, Gioacchino Tangari and colleagues at Macquarie University (Australia) analyzed over 20,000 Android mobile health (“mHealth”) applications and evaluated corollary risks to user data protection. Main findings are that while mHealth applications tend to provide more reliable cryptographic certificate signing mechanisms and request fewer device permissions than non-mHealth applications, several of these commercially available mHealth applications expose users to notable security risks, including covert packaging of malware, substantial reliance on unencrypted communication, and unsecured traffic. Prior work into deficiencies of mHealth application privacy policies had revealed privacy as an interdependent function of effective security procedures.

The findings emphasize the importance of paying attention to consumer-grade health information and communication technologies (ICTs) and the economic systems which foster them. Free applications with ill-conceived ad-based monetization models coupled with under-regulation and under-vetting of mHealth application security features permit the rise of suspicious third-party adware, insecure communication protocols, and network traffic interception. Commercial application marketplaces carrying mHealth applications must prioritize adherence to stringent security feature vetting processes and adapt to increasingly sophisticated obfuscation techniques that put sensitive user data at risk. This is crucial in the U.S. as data generated from consumer-grade mHealth applications tend to fall outside of the stewardship of covered entities and are not subject to protected health information (PHI) provisions under the Health Insurance Portability and Accountability Act (HIPAA).

Suggestions for students:

  • Read the paper

  • Explore the project’s GitHub for sample data sets and scripts

  • Consider taking HIA 222: Fundamentals of Privacy & Security in Health IT