Some NHS-backed apps send unencrypted user data

A “man-in-the-middle attack” was used in the study to hack data sent over the internet.

“However, it was assumed that accredited apps – those that had been badged as trustworthy by organisational programs such as the UK’s NHS Health Apps Library – would be free of such issues”. The process checks clinical safety and data protection law fulfillment.

Researchers from Imperial College London investigated how data was handled by apps endorsed by the NHS Health Apps Library and found several sent unencrypted personal and medical information over the internet – putting users at risk of identity theft and fraud. Kit Huckvale added that the study results have given a chance for action to deal with such concerns, and cut the risk of a privacy breach in near future.

A spokesperson for NHS Choices said: “It’s important that all of the apps listed on the NHS Health Apps Library meet the criteria of being clinically safe, relevant to people living in England and compliant with the Data Protection Act”.

NHS England told the BBC that numerous worst offending apps have been removed and the service is launching a “new, more thorough NHS endorsement model for apps”.

“This interception might occur at a local level in an Internet café or at a higher-level in more sophisticated scenarios”.

Unencrypted information online is unprotected from hackers and at more risk of being intercepted by criminals.

“Testing was used to characterise app features, explore data collection and transmission behaviour, and identify adherence to data protection principles concerning information security”, the study said. In an accompanying commentary, Paul Wicks and Emil Chiauzzi from PatientsLikeMe – a U.S. health information sharing website – write about health apps: “The potential for benefit remains vast and the degree of innovation is inspiring – but it turns out we are much earlier in the maturation phase of medical apps than many of us would have liked to believe”.

The online resource was set up in March 2013 to provide users with access to a range of health monitoring and treatment apps that people can scroll through before downloading them from the Apple App Store or Google Play marketplace.

Paul Dignan, technical account manager at F5 Networks, told South Carolina that where data was sent in the clear that meant that information will be readable at any point in the transit chain between client and server.

The study also found 20% failed to have a privacy policy setting out the steps they take to safeguard users’ personal information, although none of the apps were found to transmit information that they promised not to.