Health Software firm develops Android app while NHS warns on tablet security

The advice is timely given the growing use of tablets and increasing malware aimed at them. TPP, the company behind the SystmOne health records system, announced last week that it is developing an Android app. “The solution will allow SystmOne users to access and update patient records whilst working at home or out in the community,” suggests the company.

SystmOne is a Single Shared Electronic Patient Record system designed to be the record of prime entry for GP practices and other primary care organizations. The Android app will allow doctors to access and update patients’ sensitive health data while away from their surgeries; and the advantages to medical professionals are clear.

Security, however, so far seems to be minimal. “Access to the app would be through the user’s usual username and password meaning no-one could use the app unless they were already a SystmOne user,” writes TPP. 

Security expert and ESET senior research fellow David Harley has specific concerns about this. “Even assuming that the passwords are managed rigorously – with the enforcement of sound password selection, password aging, and restricted login attempts – TPP’s announcement suggests clearly that this is an app that could be used on any suitable device. The definition of ‘suitable’ is presumably left to the customer. I see no reason to assume that the customer’s choice will include securing the device both locally with PIN/password and centrally within the healthcare organization.”

Harley points to some of the existing security problems with Android apps: the apps are only audited for malicious intent after problems are reported by customers; they can be sourced from unregulated repositories; and there is “a consequent plethora of malware that already includes keyloggers.”

Users will consequently need to take additional and separate measures to secure their tablets in order to meet the Connecting for Health guidelines. But “I’d have thought a safer platform and two- or three-factor authentication would be far more appropriate in UK healthcare, which is expected to conform to high standards of privacy and data protection,” says Harley.

What’s Hot on Infosecurity Magazine?