Empirical Analysis of Sri Lankan Mobile Health Ecosystem: A Precursor to an Effective Stakeholder Engagement

TL;DR

The study investigates Sri Lanka's mobile health ecosystem to anticipate the rollout of the Personal Data Protection Act (PDPA). Using a custom instrumented Android platform, it analyzes 41 health-system apps and websites to reveal pervasive third-party data sharing with limited consumer visibility. Key findings include substantial sharing of physician information, usage data, and queries with third parties, often without clear privacy policies or consent mechanisms, and instances of unencrypted transmission. The work highlights practical challenges for regulatory compliance, informs stakeholder engagement, and suggests pathways such as clearer consent, data-subject rights processes, and SBOM-based transparency to support effective PDPA implementation.

Abstract

Sri Lanka recently passed its first privacy legislation covering a wide range of sectors, including health. As a precursor for effective stakeholder engagement in the health domain to understand the most effective way to implement legislation in healthcare, we have analyzed 41 popular mobile apps and web portals. We found that 78% of the tested systems have third-party domains receiving sensitive health data with minimal visibility to the consumers. We discuss how this will create potential issues in preparing for the new privacy legislation.