Health app data breaches are becoming commonplace as more and more companies are failing to keep their customer’s information secure. But why exactly has there been a rise in health app data breaches over the past few years?
Any organization that stores the personal data of its customers, current employees and former employees, has a legal obligation to keep said data secure. Unfortunately, not every company can uphold this responsibility, which often results in devastating data breaches.
Mental Health and Prayer Apps
Many services are moving into digital space, including apps for mental health and spiritual needs. But researchers warn that some of the most prominent apps for mental health and prayer offer little security, and users’ privacy data are vulnerable. Earlier this year, Mozilla published a report which found that out of the 32 mental health and prayer apps analyzed, 28 were given a “Privacy Not Included” warning label for weak policies, sharing personal data with third parties.
The research found that the apps with the worse privacy and security were Better Help, Youper, Woebot, Better Stop Suicide, Pray.com, and Talkspace. Mozilla’s findings show that Better Help and Better Stop Suicide had “vague and messy privacy policies”, while Youper, Pray.com, and Woebot shared users’ personal information with third parties, and Talkspace collected chat transcripts.
“The vast majority of mental health and prayer apps are exceptionally creepy. They track, share, and capitalize on users’ most intimate personal thoughts and feelings, like moods, mental states, and biometric data. Turns out, researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with our most intimate personal information,” said Jen Caltrider, lead of Mozilla’s Privacy Not Included Privacy Guide.
Insecure Tracking Apps
The overturn of Roe vs Wade opens the door to criminal prosecution of women seeking abortions and raises concerns about law enforcement officials’ ability to subpoena abortion-related data from data companies and women’s health apps.
Apps such as Flo, Period Tracker, and Glow capture more private data than many people know. This information is susceptible to being sold to third parties to improve advertising practices and earn the app developers money. That data are also susceptible to court-order subpoenas by law enforcement building a case against someone believed to have violated restrictions on abortion. Many of the apps have responded and introduced new security features such as an anonymous mode and a private key encryption feature.
Protecting Employees Data: BYOB Workplaces & Wellness Monitoring
With the rise of the BYOD (bring your own device) workplace and companies playing an increasingly active role in the health and wellness of its employees, utilizing mobile apps to encourage employees to track fitness, there is an additional vulnerability. An organization’s computers (desktops, laptops and servers) include the ability for admins to have full access to the device for updates and deploying new software. However, with BYOB, there is a greater threat of ‘leaky’ apps — outwardly benign applications with security flaws that can put your data at risk. And guess what? Chances are, your employees have leaky apps on their devices.
Corporate Wellness Magazine recently examined 100 popular apps in a variety of categories, testing them for man-in-the-middle and SSL attack vulnerabilities, whether they stored passwords and other sensitive data in their memory, and other common security concerns.
Our study found that 60% of apps received a “High” risk rating in one or more categories. None of these were apps anyone would normally perceive as ‘risky’- usually, when presented with our findings, even their creators were unaware of the risks their apps posed.
“Even if you develop your own custom fitness app or use a white label app that has undergone rigorous security testing, the scary thing about mobile is that your data may still only be as safe as the weakest app on one of your employees’ devices. All it takes is one unsecured Angry Birds knock-off to put your entire enterprise at risk.
Here’s how it can happen – let’s say as part of a corporate wellness directive, your employee installs an mobile app called “Count My Sit-Ups” to help them, well, count their sit-ups. This app is reasonably secure (a rarity), but requires an email address as part of registration. However, the Angry Birds knock-off they downloaded has some security problems, and attackers are able to use it to penetrate your employee’s device. From there, they access “Count My Sit-Ups” and find your employee’s email info. Using a password the device found stored on another app, the attacker is then able to access your employee’s corporate email account. This scenario assumes that your employee uses the same password for a number of different mobile apps/functions/registrations – but in reality, that’s exactly what people do, and attackers know this. “ Read more at Corporate Wellness Magazine.
Monitoring Remote Sessions
With more employees working from home, companies are seeking ways of monitoring remote sessions. One compelling case can be made for recording remote sessions for later playback and review. Employers are concerned that in the event of a security breach, they won’t be able to see what was happening on users’ desktops when the breach occurred. Another reason for recording remote sessions is to maintain compliance, as required for medical and financial institutions or auditing for business protocols, etc.
TSFactory’s RecordTS v6 will record Windows remote sessions reliably and securely for RDS, Citrix and VMware systems. Scalable from small offices with one server to enterprise networks with tens of thousands of desktops and servers, RecordTS integrates seamlessly with the native environment.
Click here to learn more about secure remote session recording.