The reports about Glow, a fertility tracking mobile app, shows how a lot of startups ignore mobile app security testing and how a lot of businesses that collect health data think that being outside of HIPAA compliance is a free pass for being responsible about data security.
Glow tracks women’s menstrual cycles and fertility contained serious security vulnerabilities that compromised user data. This data is all the more sensitive and personal since it touches on personal details such as weight, medications, sexual intercourse and personal medical history as well as identifying information such as name, location and birthdate.
These security issues show the need for a security standard for health data. Only three of the most popular fertility and reproductive mobile apps, Ovuline,Celmatix, and Progyny are HIPAA compliant. Glow claims to manage “one of the largest datasets for women’s health ever assembled”, Glow is not HIPAA compliant or under the remit of the US Food and Drug Administration.
The three major security issues discovered by Consumer Reports saw that accounts could be linked without permission, personal data was sent unencrypted to user’s phones, and changing user’s passwords via the API.
The researchers also found that the debug logs made personal data visible to administrators.
For users this is all quite shocking. Glow fixed all the security issues and did an update after Consumer Reports got in contact and maintains that no user data was compromised. The reality is that the data collected isn’t covered by HIPAA laws nor is there any law to stop Glow selling this data to marketers.
This still begs the question: why does a startup that collects the most personal and sensitive data of its users, and with $23m in funding, neglect to do any mobile app security testing or even take a cue from HIPAA regulation to create some kind of internal security standard?
Codified Security Instant will help you to meet HIPAA standards for secure mobile app development, for HIPAA mobile app security testing try a demo of Codified Security.