Healthcare Technology Featured Article

December 15, 2022

Benchmark Analysis Finds Security Weaknesses in mHealth Apps

The digital transformation of the healthcare industry has solidified mHealth apps as an essential part of individual health tracking and virtual medicine. Patients depend on mHealth apps to track their own health and activity, join telehealth appointments, access records, manage prescriptions and receive public health updates. Doctors, nurses and caregivers rely on mHealth apps to monitor patient health data and care programs, conduct administration, manage patient documents, monitor Internet of Things (IoT) medical devices and perform contact tracing.

Mobius MD found that two-thirds of U.S. hospitals offer mobile health apps, and Precedence Research estimates the global mHealth marketplace will reach $243.57 billion by 2030. With patients and caregivers using mHealth apps for a wide range of services, safeguarding users from cyber threats should be a top priority for healthcare providers. Many would expect mHealth apps to rank among the most secure compared to mobile apps across industry verticals because regulations like HIPAA require healthcare providers to safeguard confidential patient data. But the most popular mHealth apps may not be as safe as users assume.

A recent NowSecure mobile application security and privacy benchmark analysis found that many of the most popular mHealthapps have security and privacy vulnerabilities that risk exposing personal health data.

Security and Privacy Testing Methodology

NowSecure recently evaluated more than 5,500 Android and iOS mobile apps in 13 industry verticals, including banking and finance, fintech & insurtech, airline, automotive, energy, Gig Economy, healthcare, high tech, IoT, pharma, retail, social media and travel.

Analysis was conducted using the NowSecure Platform automated mobile application security testing engine. The engine runs more than 600 automated tests to find security and privacy issues that impact mobile users and mobile businesses. These tests run against the Open Web Application Security Project (OWASP) Mobile Application Security Verification Standard (MASVS) as a baseline to determine the level of security in mobile apps.

After testing, a scoring algorithm calculates the risk of the mobile apps (0-100) like school grades. Mobile apps scoring 90 and above equate to an A, 80-89 a B, 70-79 a C, 60-69 a D and anything below 60 merits an F. Mobile apps that earn an A or B are low risk, those in the C and D groups require caution and those with an F present a high degree of risk.

How Secure Are mHealth Apps?

The benchmark analysis uncovered a number of noteworthy issues regarding the overall privacy, security and quality of 528 mHealth apps:

  • A concerning 97% of all sampled healthcare mobile apps had one or more security risks, while 69% had one or more privacy risks.
  • The average security score of mHealth mobile apps dropped 8% from last year, moving from 75 to 69. This was one of the most significant score drops across all industry verticals.
  • 32% of mHealthcare apps had high-risk vulnerabilities.
  • 46% of healthcare mobile apps had medium-risk vulnerabilities.
  • 16% of healthcare mobile apps had low-risk vulnerabilities.

mHealth Apps Require Maximum Protection

Recent mHealth security and privacy incidents highlight the impact of security and privacy vulnerabilities on healthcare organizations, patients and users:

  • In December of 2021, security researchers at NowSecure uncovered major vulnerabilities within Peloton mobile apps and APIs, which could have exposed users to personal information theft, phishing and account takeovers.
  • In November of 2021, the vaccine passport mobile app developer Docket uncovered a security bug that exposed the COVID-19 vaccination records of some residents in New Jersey and Utah.
  • In September of 2021, the period and fertility tracking mobile app maker Flo Health was involved in a class- action lawsuit after sharing private user data with third-parties without their consent.

As the digitization of healthcare continues, mHealth apps require security and privacy protections that go beyond baseline requirements of other mobile app categories. These mobile apps use a higher volume of sensitive user data compared to other industry verticals, which means the consequences of a mobile app breach could be much more severe. Additionally, many mHealth apps support life saving IoT devices like insulin pumps that could be compromised by threat actors, putting the health and safety of users at risk.

Healthcare organizations should not take the security and privacy of their mHealth apps lightly. mHealth apps should be tested continuously as they are built and throughout  their lifecycle to ensure they meet regulatory requirements and stay protected from threat actors. Healthcare leaders should encourage development teams to learn secure coding techniques and leverage continuous security testing to find and fix vulnerabilities throughout the dev pipeline. To demonstrate their commitment to safeguarding user trust and validate their security practices, healthcare organizations that build mobile apps for Android should obtain an App Defense Alliance (ADA) Mobile Application Security Assessment independent security review for their Google Play Data safety section.

About the author: As NowSecure Chief Mobility Officer, Brian Reed brings decades of experience in mobile, apps, security, dev and operations management including NowSecure, Good Technology, BlackBerry, ZeroFOX, BoxTone, MicroFocus and INTERSOLV working with Fortune 2000 global customers, mobile trailblazers and government agencies. At NowSecure, Brian drives the overall go-to-market strategy, solutions portfolio, marketing programs and industry ecosystem. With more than 25 years building innovative products and transforming businesses, Brian has a proven track record in early and mid-stage companies across multiple technology markets and regions. As a noted speaker and thought leader, Brian is a dynamic speaker and compelling storyteller who brings unique insights and global experience. Brian is a graduate of Duke University.

Edited by Erik Linask
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
By Special Guest
Brian Reed, Chief Mobility Officer, NowSecure ,


FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]