NHS-certified apps have been found to take liberties with user data, failing to encrypt it and potentially endangering the security of users, the BBC reports.
Researchers checked 79 apps in the NHS England’s Health Apps Library and discovered that 70 sent personal data to an associated online service and 23 — a little under 30% — did so without encrypting the data. Of these, four sent both personal and medical data without encrypting it.
The Health Apps Library was set up by the NHS to verify that apps, many of which are used to quit smoking or drinking, conform to high standards of clinical and data safety. Kit Huckvale, a PhD student at Imperial College London, who co-wrote the study, told the BBC that “if we were talking about health apps generally in the wider world, then what we found would not be surprising” but the NHS should conform to a higher standard.
The study sent fake user data to the 79 different apps and analysed how they handled it, eventually exposing those with poor online encryption practises.
“The study is a signal and an opportunity to address this because the NHS would like to see strategic investment in apps to support people in the future,” Huckvale told the BBC.
NHS England told the BBC that many of the worst offending apps have been removed and the service is launching a “new, more thorough NHS endorsement model for apps.”