A software bug has been discovered in the Babylon Health app (a video consultation app for British patients to talk to doctors), in which users are able to view other users’ private consultations with a medical practitioner. The user who reported the bug over Twitter is Rory Glover, who was shocked to find that he was able to view over 50 video recordings via the “GP at Hand” feature of the app. This unauthorized access allowed him to replay consultations that are supposed to be private.
According to The Guardian, Babylon Health commented on the incident:
“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly. Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologize to and support where required.”
In acknowledging the breach and releasing an apology, this was at least a step in the right direction. Babylon Health provides mobile phone services for 2.3 million U.K. residents, where patients are able to talk to a health specialist by video whenever necessary. Such an app is highly convenient during a global pandemic, especially for the elderly who rely on medical care and are most vulnerable to leave their homes.
As a concept, it is worthy to make medical assistance more reachable to users through mobile technology. However, when using technology for any purpose whatsoever regarding medical information, it is vital that security be the highest priority. All medical information for every patient is confidential, and privacy is the key to maintaining a patients’ rights and trust.
With a simple software error, the trust and reputation of Babylon Health has been scandalized. Although the technical problem of the software bug is claimed to have been resolved, there are larger difficulties that the company must now work to overcome. Babylon Health must ask itself the hard questions concerning the security of their practices:
How do we implement better security practices to be used by our software developers when working on our product?
What changes do we have to make to our guiding security policy? Should we add new controls or edit others?
How can we improve our security culture as a company? How will every one of our employees be motivated to follow our security policy and alert leadership when they see security being flawed?
It is not easy for any organization that has been compromised (or flawed) to come up with the answers to these questions or to implement their responses. However, in whatever answers that Babylon Health comes up with, they must be focused in regaining the confidence of patients, medical personnel, and investors alike. It is suggested that Babylon Health take this scandal as an opportunity to advance their information security standards. They must do so in order to keep working in the future.