Mobile App Risks in Highly Regulated Industries
Mobile apps deployed by organizations in highly regulated industries must conform with multiple regulations, including record retention, patient privacy and data breach notifications.
Protecting the Privacy of Children
The FTC has been increasingly concerned with the security of apps offered for children in the Google Play and Apple App stores. It found that children's apps siphon vast amounts of information from mobile devices such as device ID, geolocation and phone number. Of the apps surveyed by the FTC, almost 60 percent transmitted information accessed from the user to advertisers, analytics companies and other third parties. In 2013, operators of the mobile app Path were fined $800,000 by the FTC for deceptive and misleading conduct in collecting personal information. For this and other reasons, the FTC is expected to become a more engaged regulatory force in protecting consumer privacy.
Vulnerabilities due to the rapid growth of social media services like Facebook, Twitter, Instagram and YouTube must be considered as well. Although many of these services were launched for a desktop audience, they have quickly become one of the primary uses of smartphones with over 85 percent penetration. Of the one billion Facebook users, 200 million are mobile only.
Health insurance companies use social media, health gaming apps and other mobile health apps to increase users' engagement in their own healthcare. For example, Blue Cross Blue Shield's health challenge app, MeYouHealth, seeks to encourage positive behavior change through gamification and social interaction. The app encourages healthy behavior change by giving users small challenges to complete that they can share with friends on Facebook and Twitter. When apps are merged with social networks, they routinely request permission to access data from a user's device or they list the data they intend to access from the device as part of the terms and agreements of downloading the app. In most circumstances, users cannot select those terms with which they agree. And even unused apps access data that users thought were private. Moreover, mobile apps that allow for easy authentication between apps may trigger additional vulnerabilities for data leakage through unintended posts to social networks.
Each company, and most especially those in highly regulated industries, should decide how best to handle risks in light of penalties for non-compliance. Even large companies such as Apple have had to reevaluate their security practices after, in 2013, scientists created malware that managed to bypass every security measure Apple had installed to protect users. Waiting until an attack or penalty is not a desired strategy especially in an age where reputational risks can be so costly.
For a report by SIM's Advanced Practices Council titled "Mobile App Development in Highly Regulated Industries: Risks, Reward and Recipes," click here.
About the Author
Madeline Weiss, Ph.D., is director of the Society for Information Management's Advanced Practices Council, a research-based program for CIOs and senior IT executives.
To read her previous article for CIO Insight, "What a Difference Agile Development Makes," click here.