The iPhone and iPod Touch platforms have gained huge popularity with medical providers, with Epocrates saying over 100,000 physicians are actively using the medical reference app on their iPhone – and this was back in July of 2009.
Many healthcare providers feel comfortable with the iPhone because of its fluid operating system, and the extra functionality it offers, in the form of games and a variety of other apps. This added functionality is missing with more enterprise-based smart phones, such as the Blackberry platform. However, this added functionality comes with a price, and exposes the iPhone to security risks.
Nicolas Seriot, a researcher from the Swiss University of Applied Sciences, has found some alarming design flaws in the iPhone operating system that allow rouge apps to access sensitive information on your phone.
In this fantastic piece published by CNET, he mentions how these rouge apps can be hidden within an innocent looking game app. The CNET piece goes on to say:
“Basic information these apps could access would be your mobile phone number, address book data, and a notes section of the address book, where some people store bank account and other sensitive information…..
To make his point, Seriot has created open-source proof-of-concept spyware dubbed “SpyPhone” that can access the 20 most recent Safari searches, YouTube history, and e-mail account parameters like username, e-mail address, host, and login, as well as detailed information on the phone itself that can be used to track users, even when they change devices.
SpyPhone can be used to track the user’s whereabouts and activities. It offers access to the keyboard cache, which contains all the words ever typed on the keyboard, except for words entered in password fields, effectively acting as a keylogger,” he said.
One would think the extensive App Store screening process prevents malicious apps from getting approved, but that’s not always the case – several apps have been pulled from the App Store for this very reason. An example mentioned is Aurora Feint, a game app that was stealing users’ contact library on their phones.
These security risks are substantial for everyday users, but become heightened if your phone contains sensitive data, in the form of patient information, and when your phone is used for patient care. Over at iMedicalApps.com, we are not fans of medical apps that enable you to input patient data, and there are several out there. But we also have peers who have patient contact information stored on their phones, patient information in their calendars, or are accessible to their patients via e-mail. You can even e-prescribe using your iPhone.
Since the iPad will have essentially the same operating system as the iPhone, and much hype has surrounded the iPad’s potential implementation in healthcare, a need to address these problems becomes even more evident.
Seriot does offer some basic tips on how to protect your data. I have included detailed instructions on how to perform these tasks:
Basic steps for protecting your data, with detailed instructions:
1) Clean your browser’s recent searches: Go to Settings > Safari. You should periodically clear your history, cookies, and cache
2) Clean your keyboard cache: Go to Settings > General > Reset > Reset Keyboad Dictionary
3) Change or delete your declared number: Go to Settings > Phone > My number. Delete your number, and put a random string of numbers here.
He also mentioned that professional users, such as medical staff, should run only trusted applications. If you’re utilizing your iPhone as more than a medical reference, and using it for actual patient care, than follow the above tips – and make sure you only download apps you trust. Protecting patient data is absolutely critical, that “cool game app” you just downloaded might be doing more than just entertaining you, and HIPAA won’t be far behind.
Originally published on our MedPage Today blog