“Gartner Listed - mobile application security guide”

August 19, 2016

Health & fitness apps exposing user data

A number of health and fitness apps are exposing user data to potential data collection and sharing on the part of companies that are outside HIPAA regulations and falling short of HIPAA app security standards.

Research from the Future of Privacy Forum, as US based think tank focused on responsible data practices, on the privacy policies of health and fitness apps in the iOS and Android marketplaces found that only 60 percent described a privacy policy compared to 76 percent of other apps.

This is troubling given that these apps collect health and fitness information from sensors on mobile phones, wearables, and other devices. The expectation would be that given the sensitive nature of the data the privacy policies would be more explicit in its description of privacy policies and practices.

Many of these wearables, sports and fitness apps, and related social networks existed before Congress enforced HIPAA and still exist outside of its scope as the companies are not HIPAA covered entities or business associations. This also creates a gulf between the HIPAA app security standards of covered entities against these health and fitness apps.

The failure to offer privacy policies sees these apps failing to provide links on their app store listing or neglecting to provide any kind of privacy policy at all. The absence of any security testing standard compared to those for HIPAA app security also has potential for breaches of sensitive data e.g. the information collected by fertility tracking apps such as weight, medications, sexual intercourse and personal medical history as well as identifying information such as name, location and birthdate.

HIPAA app security standards include basic common sense measures such as proper implementation of encryption for data-in-transit and data-at-rest and authentication verifiers.

The absence of security and clear privacy policies is a cause for future concern as the health insurance industry looks toward big data.

Codified Security will help you to meet HIPAA standards for secure mobile app development, for HIPAA mobile app security testing try a demo of Codified Security.