NHS-approved mobile apps fail to encrypt patient data, study finds

A large number of mobile applications approved by the NHS have been found to leak data about their users, with some completely failing to encrypt patient information sent over the internet, an Imperial College study has found.

The study looked into the adequacy of data protection of software listed in the NHS Health Apps Library.

Launched in March 2013, the Library presents a curated list of apps patients and the public can use. Apps are intended to be suitable for professional recommendation to patients but are also available for general use without clinical support.


Failure to encrypt data

The study was carried out over a six month period, during which time 79 apps certified as “clinically safe” and “trustworthy” by the UK NHS Health Apps Library were assessed.

Out of those 79 applications, 89 per cent (70/79) relayed information to online services. None of those 70 apps encrypted the data stored locally.

More concerning, two-thirds of apps (23/35) that sent identifying information over the internet did not encrypt it and 20 per cent (7/35) did not even have a privacy policy.

Eight out of ten apps (38/49) of apps that transmitted information and had a privacy policy did not describe the type of personal information that would be included in those transmissions.

Four apps sent both identifying and health information without encryption.


‘Systematic gaps in compliance’

The report said there were “systematic gaps in compliance with data protection principles in accredited health apps” which lead to a bigger question of “whether certification programs relying substantially on developer disclosures can provide a trusted resource for patients and clinicians”.

Two apps that used cloud technology had privacy vulnerabilities classified as ‘critical’. The report warns that such design flaws could be intentionally exploited to extract information about the users.

“As long as these vulnerabilities persist, the privacy of users is in jeopardy,” the report warned.

Related reading