Health professional need to be aware of privacy risks in their own use of apps

Sydney, March 22: "Health professionals need to be aware of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent.” A researcher, Assistant Professor Grundy at Sydney University said

Mobile health apps are a booming market targeted at both patients and health professionals. Medicines-related apps help patients track their prescriptions and remember to take their pills. They also provide drug information to help clinicians prescribe and administer medications.

The research team - from the University of Sydney, the University of Toronto and the University of California - set out to investigate if and how user data is shared by top-rated medicines-related mobile apps. It also sought to characterize privacy risks to app users, both clinicians and consumers.

How data is shared

Using apps, those were available to the public, provided information about medicines dispensing, administration, prescribing, or use, and were interactive.

The research team identified 24 top rated medicines related apps for the Android mobile platform in the United Kingdom, the United States, Canada, and Australia.

They then ran laboratory-based traffic analysis of each app downloaded onto a smartphone, simulating real world use with four dummy scripts.

Privacy leaks were detected using a technique called Differential Traffic Analysis, explained co-author Dr Ralph Holz from the University of Sydney's School of Computer Science.

"The idea is to capture a baseline of the normal network data that an app causes, and then change privacy-related settings in the app. The places where the new settings turn up in any fresh network data shows us where and to whom the app is leaking it."

Third parties also advertised the ability to share user data with 216 'fourth parties' including multinational technology companies, digital advertising companies, telecommunications corporations, and a consumer credit reporting agency. Only three of these fourth parties could be characterised predominantly as belonging to the health sector.

Several companies, including Alphabet, Facebook, and Oracle, occupied central positions within the network with the ability to aggregate and re-identify user data.

"Most health apps fail to provide privacy assurances or transparency around data sharing practices," the findings remain of concern said Assistant Professor Grundy said.

"User data collected from apps providing medicines information or support may also be particularly attractive to cybercriminals or commercial data brokers.