Android Security Risks May Outweigh Benefits

Not long ago, my colleague John Lynn made a compelling pitch for the Android platform, arguing that it’s likely to take over healthcare eventually given its flexibility.  That flexibility stands in sharp contrast to Apple phones and tablets, which work quite elegantly but also impose rigid requirements on app developers.

That being said, however, there’s security risks associated with Android that might outweigh its advantages. The major carriers are doing little or nothing to upgrade and patch the Android versions on the phones they sell, leaving them open to security breaches.

The Android security problem is so egregious that the American Civil Liberties Union has filed a complaint with the  Federal Trade Commission, asking the agency to investigate how AT&T, Verizon, Sprint and T-Mobile handle software updates on their phones.

In the complaint, the civil liberties group argues that the carriers have been engaging in “unfair and deceptive business practices” by failing to let customers know about well-known unpatched security flaws in the Android devices that they sell.

What makes things worse, the ACLU suggests, is that the carriers aren’t even offering consumers the option to update their phones.  Though Google has continued to fix flaws in the Android OS, these fixes aren’t being bundled and pushed out to the wireless carriers’ customers.  As the ACLU rightly notes, such behavior is unheard of in the world of desktop operating systems, where consumers regularly get updates from Apple and Microsoft.

In its complaint the ACLU argues that the carriers must either provide security updates to customers or allow them to get refunds on their devices and terminate their contracts without any penalty. It’s asking the FTC to force the carriers’ hand.

In the mean time, with healthcare requiring strict data security under HIPAA, one has to wonder whether hospitals and medical practices should be using Android devices at all (at least for their work).  Of course, clinicians who are accustomed to using their personal Android phones or tablets will be inconvenienced and probably fairly annoyed too.  But as things stand, hospital CIOs better be really careful about how they handle Android phones in the healthcare environment.

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

10 Comments

  • One thing to remember about the Android phones and tablets is that the entire O/S can be replaced by another updated install. There are a number of healthcare vendors that do this because they don’t want to rely on the major manufacturers to update the Android O/S. This is why I suggest that Android is really compelling. Companies that master the Android O/S and provide the updating can modify the phone to do basically anything they want it to do. Plus, then they aren’t reliant on the carrier to update the phone since they’ll just update it themselves when appropriate.

  • I don’t disagree about Android’s flexibility, but for a medium to large organization to keep up with O/S levels on dozens or hundreds of devices, and not just to update, but to re-image every time seems pretty daunting. Most have problems just keeping up with workstation OS and security patches.

  • Matt,
    I’m not suggesting that an institution do it. Although, an institution could choose one type of device and update it similar to how most do with workstations as well. I was referring more to health IT vendors doing that part of the work. I know some that offer a customized tablet as part of their product offering. They can keep the O/S up to date as needed.

    Chad,
    You’ll like this post I wrote about the hope for the Win 8 tablet: https://www.healthcareittoday.com/2013/03/20/the-health-it-tablet-shift-and-some-hope-for-windows-8/

  • Google’s Nexus line of phones has a similar update problem despite many of them being sold directly, rather than from a carrier. The Nexus One got no further updates after 1 1/2 years (halted at 2.3.6), and the Nexus S for a slightly longer period of time (halted at 4.1.2). Custom ROMs don’t necessarily have a whole engineering staff to debug them, and the last thing us clinicians want to do is to play beta tester.

    OTOH, the older iPhone 3GS is still on the current iOS 6.

  • Some good comments above. I have Motorola phones from Verizon, and Google as I understand now owns that part of Motorola. We’ve had some updates, maybe twice a year or so, but when updates come out, they have bugs – which can go for a long time without being fixed, if ever, and we’ve seen little in the way of fixes for security or anything else. Part of the problem is that each carrier customizes the OS for their phones, loading them up with cr-pware, making it much harder to roll out updates for numerous models of all ages.

  • I think it is quite irresponsible to make such a statement as this post does…especially basing your opinion on a single action by the ACLU.

    I’m not a “homer” for any OS, but by default the medical software world pushes most to a Windows-centric realm.

    Android isn’t perfect, but neither is iOS as my parents recently discovered when they got a virus on their iPad, yes a virus on their iPad for which they had to install anti-virus. To clarify for the doubters out there, their iPad started “acting strange”. They then contacted Apple, paid for support then had to pay for the anti-virus.

    I notice you didn’t mention the ACLU’s concern about how Siri stores data from searches.

    The reality of mobile tech and EHRs right now is this:
    Since most EHRs are windows based, any mobile access is generally through a process that is less than optimal.

    Very few EHRs have a dedicated mobile application to access the EHR.

    Either way, the bigger issue in mobile isn’t whether the OS is secure, but whether the device secure.

    I guarantee you that a majority of mobile devices that have access to PHI are not password protected.

    Those that are password protected, will still be handed to a child so they can play games.

  • John,
    I’m not sure how it’s irresponsible to say that Android may have issues that a CIO might want to consider. In fact, I think it would be irresponsible for us not to have this discussion. We certainly could broaden it to talk about the security issues of other mobile devices as well.

    You’re right about securing the device itself is still likely a big issue in healthcare. This is particularly true in the small doctor environment.

  • Great post – I’ve had Android phones where you couldn’t update the OS and it’s a security nightmare. It’s not only a carrier problem but an OS problem as well. As one user commented – if even Google’s phones stop updating it’s a problem. You can always install a new OS on your iPhone – though it may kill the performance of the older ones. At least Apple allows you to make the choice.

  • Steve,
    Apple has some of the same problems with updating old phones as Android. The issue of old phones not supporting the updates is a major part of the problem. You could upgrade most old phones, but if you do it will render them essentially useless.

    We’re in the early days of security on mobile. We’ll see if we’ve learned anything from the PC experience.

Click here to post a comment
   

Categories