In a revelation that calls attention to the wider issue of data protection for health tech devices, a cybersecurity consultant discovered a security issue with a widely used COVID-19 test. An investigation by an employee at the Helsinki-based cybersecurity company WithSecure found that some users are able to change the results of Cue Health‘s molecular COVID-19 test. Cue’s testing device, which delivers results in about 20 minutes, has been approved for use in the United States, Canada, India, Singapore, and in the European Union.

Ken Gannon, the WithSecure security expert who uncovered the bug, explains, “I was able to change my negative test result to positive by intercepting and changing the data as it was transmitted from Cue’s reader to the mobile app on my phone. And I got my test result certified by performing a proctored test within the platform’s Health App.” Cue Health said they fixed the problem soon after Gannon shared his research with them.

The testing method that Gannon investigated uses a test kit that contains a swab for collecting a nasal sample, a cartridge, and a reader. The cartridge sends data to the reader, and the reader sends the data, via Bluetooth, to Cue Health’s app on the tester’s smartphone. The problem was in that last information link; Bluetooth connections are known to be vulnerable to unwanted data access and so encryption is almost always recommended, but especially in the case of medical information.

As the use of both mobile health technology and electronic health records expands, protecting private patient information presents new challenges. According to a survey that Pew Research published last summer, more than two-thirds of adults want clinicians to be able to share some patient health information among themselves, beyond what data-sharing policies set by the federal government currently require. These respondents want to use their smartphones and other mobile devices to transmit this information… which they want to be better protected. After being told that federal privacy protections don’t extend to data on apps, the percentage of respondents who said they had “serious privacy concerns” jumped from 35% to 62%.

These vulnerabilities aren’t limited to apps and Bluetooth connections. Says Gannon, “The kind of issues I’m seeing are quite common in many different types of devices that use computers to perform specific tasks, such as Internet-of-things devices. Because they’re so common, it’s important that vendors prepare ways to find and fix security issues before they cause problems for users.”