Security and Privacy of Digital Mental Health: An Analysis of Web Services and Mobile Apps

In the wake of the COVID-19 pandemic, a rapid digital transformation has taken place in the mental healthcare sector, with a marked shift towards telehealth services on web and mobile platforms. This transition, while advantageous in many ways, raises critical questions regarding data security and user privacy given the sensitive nature of the information exchanged. To evaluate these concerns, we undertook a rigorous security and privacy examination of 48 web services and 39 mobile applications specific to mental healthcare, utilizing tools such as MobSF, RiskInDroid, AndroBugs, SSL Labs, and Privacy Check. We also delved into privacy policies, manually evaluating how user data is acquired, disseminated, and utilized by these services. Our investigation uncovered that although a handful of mental healthcare web services comply with expert security protocols, including SSL certification and solid authentication strategies, they often lack crucial privacy policy provisions. In contrast, mobile applications exhibit deficiencies in security and privacy best practices, including underdeveloped permission modeling, absence of superior encryption algorithms, and exposure to potential attacks such as Janus, Hash Collision, and SSL Security. This research underscores the urgency to bolster security and privacy safeguards in digital mental healthcare services, concluding with pragmatic recommendations to fortify the confidentiality and security of healthcare data for all users.