Securing Apps Critical to Advancing mHealth

Written by

Mobile apps and devices are revolutionizing healthcare. What started with a wave of fitness tracking tools has rapidly evolved into an active marketplace of smartphone apps and add-ons, networked personal health devices, Big Data analytics, and transformative healthcare delivery models.

As is often the case, these exciting advancements also create serious concerns. Patient safety and privacy are threatened in new ways by insecure apps, improperly handled personal data, and hackable medical devices. Healthcare and medical device providers face strict data privacy and patient confidentiality requirements.

The handling of mHealth data generated by mobile apps and devices is under intense scrutiny – and for good reason. If mHealth apps and devices are not developed and deployed securely, patient health and physical safety may be at risk.

In some information security scenarios, making trade-offs between functionality and security is acceptable. In healthcare, there is little room for negotiating matters of safety and privacy. Because medical devices and healthcare applications have only recently been deployed in “hacker rich” mobile environments, there is a challenging learning curve. Most healthcare organizations are using some form of Mobile Device Management (MDM) and Mobile Application Management (MAM) technology designed to mitigate risks to mobile apps and devices carrying valuable patient data. But is enough being done?

Security Risks Not Addressed

Many mHealth security risks have been left unaddressed. Mobile technology use in the healthcare industry is so new and advancing so rapidly, vulnerabilities abound, and hackers know this. Because PII-rich data tends to fetch the highest price on the black market, healthcare organizations know they are in the crosshairs of cyber-criminals. The distributed nature of mobile apps increases their vulnerability to both malicious attacks and compromise by human error.

App developers, device manufacturers, and regulatory bodies must move quickly and decisively to assess and contain the very real risks to patient safety introduced by mHealth solutions. The industry is at a critical point; many of the vulnerabilities are shared and catastrophic incidents could very well damage patient and consumer trust across the board.

It is alarming to note that mHealth apps that were “approved” by trusted sources such as the US Food and Drug Administration (FDA) or the UK National Health Service (NHS) are no more secure than unapproved apps.

Indeed, in an assessment by Arxan of 71 mobile health apps, 84% of the FDA-approved apps, and 80% of the (formerly) NHS-approved apps had at least two critical vulnerabilities when tested against the OWASP Mobile Top 10 Risks,. The most prevalent security vulnerabilities identified were insufficient Transport Layer Protection and lack of Binary Code Protection. Such flaws leave apps exposed to code tampering, reverse-engineering, and privacy violations, and data theft.

A Life-or-Death Concern

Not only do these two common weaknesses open the door to malicious use of patient data and credentials, they could very well lead to attacks on the function of the app or device itself. At the extreme, this could literally be a life-or-death matter.

It’s important to remember what we’re talking about: apps that control the connected medical devices; apps that turn smartphones into medical devices; apps that display, store, and transmit medical device data; and apps that analyze medical data to produce alerts. Smartphones, mHealth apps, and related add-on devices are used as thermometers, glucometers, heart monitors, and much more.

Protecting the integrity of their operation is just as critical (if not more so) as ensuring the confidentiality of personal data. The intellectual property (IP) contained in the apps is at risk and can be exploited to hack, reverse-engineer, or remotely manipulate devices and app functions.

Device tampering is a common technique for committing data theft in the healthcare industry. Reverse-engineering enables production of low cost imitators. This can lead to the emergence of a class of devices with questionable integrity (akin to cheap knock-off pharmaceuticals). Run-time injection of malicious code into applications can compromise the behavior of the application or device.

For example, an unauthorized user with malicious intent could modify and deliver lethal dosages of medication. Modifying medical device logic can physically impact patient health and safety. Clearly, application logic and libraries need advanced protection against these alarming threats.

What Can Be Done

Given the nature of the threats and risks, there is an urgent need for mHealth apps to bake in self-protection so that security measures follow the apps no matter where they reside. The days of focusing mainly on infrastructure security are long gone; in the era of mobile and IoT there is no longer a perimeter; applications are out “in the wild.”

Closely protecting the application layer, with run-time application self-protection (RASP) capabilities, for example, should be a high priority. In fact, security analysts like Gartner are recommending to “Make application self-protection a new investment priority, ahead of perimeter and infrastructure protection.” 

“Modern security fails to test and protect all apps. Therefore, apps must be capable of security self-testing, self-diagnostics and self-protection. It should be a CISO top priority,” Gartner said. Application self-protection is an important component of a defense-in-depth security strategy that can help healthcare organizations sidestep critical security and safety risks while enabling them to more rapidly advance mHealth.

Apps should also be tested and be sure to adequately address the most prominent risks. Testing how mHealth apps fare against the OWASP Mobile Top 10 Risks is a good place to start.

In addition, many healthcare organizations are keeping sensitive data on their backend servers to minimize exposure of data on the mobile device. However, the APIs that communicate to and from the mobile devices and backend servers need to have more robust protection than what is deemed to be standard.

Advanced API protection should become the standard since APIs can act as one the weakest links to the high-value, high-target healthcare data on the backend servers. White box cryptography combined with application code hardening, when used in combination, can deliver substantial protection and help preserve data confidentiality and patient privacy.

Simplifying Security is Essential

As much as possible, we have to find a way to simplify the security of critical apps and devices. Consumers, doctors, nurses and therapists are not security experts, and can’t be counted on to properly update, patch, configure, and monitor their devices and software. It’s hard enough to get users to practice basic security hygiene consistently.

Because the stakes are so high, it’s important to design these devices and apps from the outset to be as secure as possible in and of themselves. This is so that they can plug-and-play into a multi-layered security strategy that accounts for various software, hardware, and cloud platforms, communications channels, networks of all sizes, and third-party vendors like MSPs. A protected application reduces many risks: compromise of patient safety; unauthorized access and fraud; confidential IP theft; patient privacy loss and health record exploitation; and damage to brand reputation and consumer trust.

Mobile health is here now, but nothing should be taken for granted. Market growth and technology adoption rates will depend largely on advanced security measures for devices and applications. It’s important to keep in mind that healthcare providers are already stretched thin by changes brought about by ACA. Technology has to be an enabler, making practices more efficient and treatments more effective. Physicians and patients won’t prescribe or use devices they don’t trust.

The potential for mobile medical devices and applications to transform healthcare is enormous, especially as we face the demographic realities of an aging baby boomer generation (chronic conditions, in-home care) and a Millennial generation that vastly prefers virtual communication channels (and controlling everything with their smartphones).

Growth will accelerate once healthcare providers and device manufacturers build more trust and security into their solutions. Healthcare providers, administrators, and patients should have the freedom to run their applications on any device without burdensome security controls, and without fear of privacy loss or personal safety.

What’s hot on Infosecurity Magazine?