Abstract
In the wake of the COVID-19 pandemic, a rapid digital transformation has taken place in the mental healthcare sector, with a marked shift towards telehealth services on web and mobile platforms. This transition, while advantageous in many ways, raises critical questions regarding data security and user privacy given the sensitive nature of the information exchanged. To evaluate these concerns, we undertook a rigorous security and privacy examination of 48 web services and 39 mobile applications specific to mental healthcare, utilizing tools such as MobSF, RiskInDroid, AndroBugs, SSL Labs, and Privacy Check. We also delved into privacy policies, manually evaluating how user data is acquired, disseminated, and utilized by these services. Our investigation uncovered that although a handful of mental healthcare web services comply with expert security protocols, including SSL certification and solid authentication strategies, they often lack crucial privacy policy provisions. In contrast, mobile applications exhibit deficiencies in security and privacy best practices, including underdeveloped permission modeling, absence of superior encryption algorithms, and exposure to potential attacks such as Janus, Hash Collision, and SSL Security. This research underscores the urgency to bolster security and privacy safeguards in digital mental healthcare services, concluding with pragmatic recommendations to fortify the confidentiality and security of healthcare data for all users.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Albrecht, J.P.: How the GDPR will change the world. Eur. Data Prot. L. Rev. 2, 287 (2016)
Androbugs: Androbugs framework. https://github.com/AndroBugs/AndroBugs_Framework
Aydin, U.: Expanding the vulnerability detection of androbugs considering the recent changes in the android system. Ph.D. thesis, University of Groningen (Rijksuniversiteit Groningen) (2022)
Beaman, C., Redbourne, M., Mummery, J.D., Hakak, S.: Fuzzing vulnerability discovery techniques: survey, challenges and future directions. Comput. Secur. 102813 (2022)
Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052252
Chatzoglou, E., Kambourakis, G., Smiliotopoulos, C.: Let the cat out of the bag: popular android IoT apps under security scrutiny. Sensors 22(2), 513 (2022)
Chin, E., Wagner, D.: Bifocals: analyzing webview vulnerabilities in android applications. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 138–159. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05149-9_9
Connolly, S.L., et al.: Veterans’ attitudes toward smartphone app use for mental health care: qualitative study of rurality and age differences. JMIR Mhealth Uhealth 6(8), e10748 (2018)
Crussell, J., Gibler, C., Chen, H.: AnDarwin: scalable detection of semantically similar android applications. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 182–199. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40203-6_11
Das, S., Wang, B., Tingle, Z., Camp, L.J.: Evaluating user perception of multi-factor authentication: a systematic review. In: Proceedings of the Thirteenth International Symposium on Human Aspects of Information Security and Assurance (HAISA 2019) (2019)
Derr, A.S.: Mental health service use among immigrants in the united states: a systematic review. Psychiatr. Serv. 67(3), 265–274 (2016)
Dierks, T., Allen, C., et al.: The TLS protocol version 1.0 (1999)
Eldewahi, A.E., Sharfi, T.M., Mansor, A.A., Mohamed, N.A., Alwahbani, S.M.: SSL/TLS attacks: analysis and evaluation. In: 2015 International Conference on Computing, Control, Networking, Electronics and Embedded Systems Engineering (ICCNEEE), pp. 203–208. IEEE (2015)
Esposito, C., De Santis, A., Tortora, G., Chang, H., Choo, K.K.R.: Blockchain: a panacea for healthcare cloud-based data security and privacy? IEEE Cloud Comput. 5(1), 31–37 (2018)
Fielding, R., et al.: Rfc2616: hypertext transfer protocol-http/1.1 (1999)
Figueroa, C.A., Aguilera, A.: The need for a mental health technology revolution in the COVID-19 pandemic. Front. Psych. 11, 523 (2020)
Grist, R., Porter, J., Stallard, P., et al.: Mental health mobile apps for preadolescents and adolescents: a systematic review. J. Med. Internet Res. 19(5), e7332 (2017)
Hadan, H., Serrano, N., Das, S., Camp, L.J.: Making IoT worthy of human trust. In: TPRC47: The 47th Research Conference on Communication, Information and Internet Policy (2019)
Henchiri, M.M.H.: Handles for pentesting modern secure coding: bypassing mobile security. Int. J. Eng. Inf. Syst. (IJEAIS) 3(4) (2019)
Hilty, D.M., Chan, S., Hwang, T., Wong, A., Bauer, A.M.: Advances in mobile mental health: opportunities and implications for the spectrum of e-mental health services. Focus 16(3), 314–327 (2018)
Kishnani, U., Noah, N., Das, S., Dewri, R.: Privacy and security evaluation of mobile payment applications through user-generated reviews. In: Proceedings of the 21st Workshop on Privacy in the Electronic Society, pp. 159–173 (2022)
Kohli En, N., Mohaghegh, M.: Security testing of android based COVID tracer applications. In: 2020 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE), pp. 1–6. IEEE (2020)
Kramer, G.M., Kinn, J.T., Mishkind, M.C.: Legal, regulatory, and risk management issues in the use of technology to deliver mental health care. Cogn. Behav. Pract. 22(3), 258–268 (2015)
Lamalva En, G., Schmeelk, S.: MobSF: mobile health care android applications through the lens of open source static analysis. In: 2020 IEEE MIT Undergraduate Research Technology Conference (URTC), pp. 1–4. IEEE (2020)
Lattie, E.G., Nicholas, J., Knapp, A.A., Skerl, J.J., Kaiser, S.M., Mohr, D.C.: Opportunities for and tensions surrounding the use of technology-enabled mental health services in community mental health care. Admin. Policy Mental Health Mental Health Serv. Res. 47(1), 138–149 (2020)
Lipson, S.K., Lattie, E.G., Eisenberg, D.: Increased rates of mental health service utilization by us college students: 10-year population-level trends (2007–2017). Psychiatr. Serv. 70(1), 60–63 (2019)
Lui, J.H., Marcus, D.K., Barry, C.T.: Evidence-based apps? A review of mental health mobile applications in a psychotherapy context. Prof. Psychol. Res. Pract. 48(3), 199 (2017)
Lustgarten, S.D., Garrison, Y.L., Sinnard, M.T., Flynn, A.W.: Digital privacy in mental healthcare: current issues and recommendations for technology use. Curr. Opin. Psychol. 36, 25–31 (2020)
Luxton, D.D., McCann, R.A., Bush, N.E., Mishkind, M.C., Reger, G.M.: mhealth for mental health: integrating smartphone technology in behavioral healthcare. Prof. Psychol. Res. Pract. 42(6), 505 (2011)
Mahapatra, B., Krishnamurthi, R., Nayyar, A.: Healthcare models and algorithms for privacy and security in healthcare records. In: Security and Privacy of Electronic Healthcare Records: Concepts, Paradigms and Solutions, p. 183 (2019)
Mahto, D., Yadav, D.K.: RSA and ECC: a comparative analysis. Int. J. Appl. Eng. Res. 12(19), 9053–9061 (2017)
Martinez-Martin, N., Kreitmair, K., et al.: Ethical issues for direct-to-consumer digital psychotherapy apps: addressing accountability, data protection, and consent. JMIR Mental Health 5(2), e9423 (2018)
Merlo, A., Georgiu, G.C.: RiskInDroid: machine learning-based risk analysis on android. In: De Capitani di Vimercati, S., Martinelli, F. (eds.) SEC 2017. IAICT, vol. 502, pp. 538–552. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58469-0_36
Michail, H.E., Athanasiou, G.S., Theodoridis, G., Gregoriades, A., Goutis, C.E.: Design and implementation of totally-self checking Sha-1 and Sha-256 hash functions’ architectures. Microprocess. Microsyst. 45, 227–240 (2016)
Mitra, J.: A security & privacy analysis of us-based contact tracing apps. arXiv preprint arXiv:2207.08978 (2022)
MobSF: Mobsf/mobile-security-framework-mobsf: Mobile security framework (mobsf) is an automated, all-in-one mobile application (android/ios/windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. https://github.com/MobSF/Mobile-Security-Framework-MobSF
Moriarty, K., Farrell, S.: Deprecating tls 1.0 and tls 1.1. Internet Engineering Task Force, RFC 8996 (2021)
Müthing, J., Brüngel, R., Friedrich, C.M., et al.: Server-focused security assessment of mobile health apps for popular mobile platforms. J. Med. Internet Res. 21(1), e9818 (2019)
Nass, S.J., Levit, L.A., Gostin, L.O.: Beyond the HIPAA privacy rule: enhancing privacy, improving health through research. PubMed (2009)
Noah, N., Shearer, S., Das, S.: Security and privacy evaluation of popular augmented and virtual reality technologies. In: Proceedings of the 2022 IEEE International Conference on Metrology for eXtended Reality, Artificial Intelligence, and Neural Engineering (IEEE MetroXRAINE 2022) (2022)
Nokhbeh Zaeem, R., et al.: Privacycheck v3: empowering users with higher-level understanding of privacy policies. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1593–1596 (2022)
Nokhbeh Zaeem, R., et al.: Privacycheck v2: a tool that recaps privacy policies for you. In: Proceedings of the 29th ACM International Conference on Information and Knowledge Management, pp. 3441–3444 (2020)
Nouri, S., Khoong, E.C., Lyles, C.R., Karliner, L.: Addressing equity in telemedicine for chronic disease management during the COVID-19 pandemic. NEJM Catalyst Innov. Care Deliv. 1(3) (2020)
Oh, E., Jorm, A.F., Wright, A.: Perceived helpfulness of websites for mental health information. Soc. Psychiatry Psychiatr. Epidemiol. 44, 293–299 (2009)
Park, D.G., Boyd, C., Moon, S.-J.: Forward secrecy and its application to future mobile communications security. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 433–445. Springer, Heidelberg (2000). https://doi.org/10.1007/978-3-540-46588-1_29
Parker, L., Halter, V., Karliychuk, T., Grundy, Q.: How private is your mental health app data? an empirical study of mental health app privacy policies and practices. Int. J. Law Psychiatry 64, 198–204 (2019)
Patil En, H.K., Seshadri, R.: Big data security and privacy issues in healthcare. In: 2014 IEEE International Congress on Big Data, pp. 762–765. IEEE (2014)
Power, J.: Us telehealth satisfaction study. SM, JD Power (2019)
riskindroid: Claudiugeorgiu.riskindroid. https://github.com/ClaudiuGeorgiu/RiskInDroid
Schueller, S.M., Washburn, J.J., Price, M.: Exploring mental health providers’ interest in using web and mobile-based tools in their practices. Internet Interv. 4, 145–151 (2016)
Siddiqui, S., Khan, A.A.: Challenges and privacy concerns related to use of information technology in mental healthcare. In: Mittal, M., Goyal, L.M. (eds.) Predictive Analytics of Psychological Disorders in Healthcare. LNDECT, vol. 128, pp. 285–303. Springer, Singapore (2022). https://doi.org/10.1007/978-981-19-1724-0_15
Sirohi, P., Agarwal, A., Tyagi, S.: A comprehensive study on security attacks on SSL/TLS protocol. In: 2016 2nd International Conference on Next Generation Computing Technologies (NGCT), pp. 893–898. IEEE (2016)
Sorkin, D.H., et al.: Rise in use of digital mental health tools and technologies in the united states during the COVID-19 pandemic: survey study. J. Med. Internet Res. 23(4), e26994 (2021)
ssllabs: Qualys SSL labs. https://www.ssllabs.com/
Suga, Y.: Status survey of SSL/TLS sites in 2018 after pointing out about ‘search form” issues. In: 2018 Sixth International Symposium on Computing and Networking Workshops (CANDARW). IEEE, November 2018
Sury, O.: Use of the Sha-256 algorithm with RSA, digital signature algorithm (DSA), and elliptic curve DSA (ECDSA) in SSHFP resource records. Technical report, CZ.NIC (2012)
Tang, J., Li, J., Li, R., Han, H., Gu, X., Xu, Z.: Ssldetecter: detecting SSL security vulnerabilities of android applications based on a novel automatic traversal method. Secur. Commun. Netw. 2019 (2019)
Terry, N.: Existential challenges for healthcare data protection in the United States. Ethics, Med. Publ. Health 3(1), 19–27 (2017)
Torous, J., Nicholas, J., Larsen, M.E., Firth, J., Christensen, H.: Clinical review of user engagement with mental health smartphone apps: evidence, theory and improvements. Evid. Based Ment. Health 21(3), 116–119 (2018)
Wang, H., Liu, H., Xiao, X., Meng, G., Guo, Y.: Characterizing android app signing issues. In: 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 280–292. IEEE (2019)
Wang, X., Markert, C., Sasangohar, F.: Investigating popular mental health mobile application downloads and activity during the COVID-19 pandemic. Hum. Fact. 0018720821998110 (2021)
Weerasinghe, T., Disanayake, C.: A research study: usage of rc4 stream cipher in SSL configurations of web servers used by Sri Lankan financial institutes. Int. J. Cyber Secur. Digit. Forensics 7(2), 111–119 (2018)
Acknowledgements
We would like to thank the Inclusive Security and Privacy focused Innovative Research in Information Technology (InSPIRIT) Laboratory at the University of Denver. The authors appreciate the reviewers’ anonymous suggestions and criticisms. Any opinions, findings, conclusions, or recommendations expressed in this material are solely those of the authors and not of the organization or the funding agency.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 IFIP International Federation for Information Processing
About this paper
Cite this paper
Surani, A. et al. (2023). Security and Privacy of Digital Mental Health: An Analysis of Web Services and Mobile Applications. In: Atluri, V., Ferrara, A.L. (eds) Data and Applications Security and Privacy XXXVII. DBSec 2023. Lecture Notes in Computer Science, vol 13942. Springer, Cham. https://doi.org/10.1007/978-3-031-37586-6_19
Download citation
DOI: https://doi.org/10.1007/978-3-031-37586-6_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-37585-9
Online ISBN: 978-3-031-37586-6
eBook Packages: Computer ScienceComputer Science (R0)
