HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

How Secure are Mobile Health Apps?

How secure are mobile health apps? It may not come as a surprise to find out that many mobile health apps have security vulnerabilities, but what about the health apps that have been tested and approved by the Food and Drug Administration (FDA)?

How Secure are Mobile Health Apps?

Apparently, even mobile health apps that have gained FDA approval are unsecure. A recent study conducted by Arxan Technologies indicates that 84% of FDA-approved health apps have at least two security vulnerabilities that pose a significant risk of exposing data or that could lead to the devices being compromised.

For the study, Arxan assessed 71 of the top health apps used in the United States, United Kingdom, Japan, and Germany, and tested each using tools developed by Mi3, a leading application security company. Mi3 has developed tools that assess potential for data leaks, susceptibility to malware, and privacy risks.

Each app was tested for susceptibility to Open Web Application Security Project’s (OWASP) top ten critical security risks. Overall, 86% of the apps were discovered to be vulnerable to at least two risks. The problem is not confined to the United States. Even apps approved for use in the UK by the National Health Service (NHS) were found to be unsecure. 80% were vulnerable to at least two of the top ten risks.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The study shows that just because a health app has been government-approved it does not mean it is any more secure than one that hasn’t. That does beg the question, what exactly do the FDA and NHS test mobile health apps for before giving their approval?

Main Security Vulnerabilities Discovered in Health Apps

The main problem, which affected 97% of mobile health apps, was the lack of binary code protection. This means the apps could all too easily be reverse engineered and have their code modified. This vulnerability existed in 95% of FDA-approved apps. If code can be changed, the researchers said that it would be possible to reprogram some apps to deliver a lethal dose of medication.

The second biggest vulnerability, affecting 79% of health apps, is poor transport layer protection. This could lead to apps leaking data. Those data could potentially be used to commit identity theft and fraud.

It would appear that many consumers believe that health apps have been thoroughly tested for security vulnerabilities, and that by the time they are released they have been made secure. Mobile app executives also believed that the security of health apps was adequate. 84% of consumers and mobile app executives (combined) believed that the apps had adequate security. Interestingly, 63% believed that the developers of mobile health apps were doing everything they could to ensure their apps were secure.

If consumers were made aware of the security vulnerabilities that existed, 80% would change provider and choose a different health app if one existed that offered a similar service but greater security.

Patrick Kehoe, Arxan Technologies chief marketing officer, was concerned by the findings and said “Given the highly distributed mobile environment, healthcare CIOs and provider organizations with mobile apps should bake application self-protection security measures into their apps before releasing them ‘into the wild.”


Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.