Why it's no surprise that NHS accredited smartphone apps are leaking data

Health Apps Library was put under scrutiny for 'very weak' review criteria back in June

A number of smartphone health apps that have been accredited by the NHS do not properly secure customer data and have poor information privacy practices, according to researchers at Imperial College London, who checked 79 of the 230-plus apps available in NHS England's Health Apps Library.

Apps in the library are supposed to undergo tests to ensure they meet standards of clinical and data safety. But despite this vetting, the researchers found that many of the apps weren't up the required standard - with some ignoring privacy standards, and nearly a third (29 per cent) sending the data - which included both personal and health data - without encrypting it at all. The vast majority sent personal data to an associated online service.

"If we were talking about health apps generally in the wider world, then what we found would not be surprising," said Kit Huckvale, a PhD student at Imperial College London, who co-wrote the study, suggesting that the NHS vetting procedures should conform to a higher standard.

The study sent bogus user data to all 79 apps in the study, and looked into how this was handled, eventually exposing those with poor security.

Four apps sent both identifying and health information without encryption. Although the study was not designed to examine data handling after transmission to online services, security problems appeared to place users at risk of data theft in two cases. The NHS has since claimed that it has removed the apps that are vulnerable, or has contacted the developers to insist they were updated.

But the findings are not surprising. After all, in June, NHS England was put under scrutiny for its review criteria for the Health Apps Library. The criteria were designed to provide a framework to assess those apps for suitability before they're published for the public to download - but they had been labelled weak, and furthermore it seemed as if some of the apps failed to meet even that standard.

At the time, Phil Booth, co-ordinator at health privacy campaign group medConfidential, described the review criteria as "very weak", and added that his organisation had given feedback to NHS England on how some of the apps could be improved, but that the advice appeared to have been ignored.

"Unfortunately, not all of the apps currently in the library even meet the criteria they supposedly should. And, despite having provided detailed and specific feedback on a number of these apps using the provided feedback forms on the relevant web pages SIX weeks ago, we have had no response - and nothing appears to have changed on the site."

However, two of the apps in question, Kvetch and Doctoralia, were subsequently removed from the site by NHS England after Computing had spoken to medConfidential.

But the findings of the Imperial College London study suggest that NHS England failed to take full notice of medConfidential's advice. Computing warned that the Health Apps Library could be the third major failing project for the NHS, along with NHS Choices and the controversial care.data programme. It seems as if the NHS is taking a reactive stance to ensuring the library is full of secure apps, as opposed to a proactive approach, and this may well lead to personal and health data getting into the hands of criminals, unless the NHS alters its stance.