Patrick Kehoe | Arxan
Health Care Applications Are a Popular Target
Health care organizations are among the top targets of cybercriminals in search of valuable patient data and intellectual property. This is not that surprising, given that a complete medical record can fetch close to $500 in the underground market, as reported by NPR. Equally unsurprising, given the health care community’s rapid advancement toward high risk mobile- and IoT-based applications is that a majority of health care organizations —81 percent — have been breached in the past two years.
Given these stats and the fact that the vast majority of cyberattacks occur at the application layer (a recent Forbes study estimated that 84 percent of all attacks were focused here), one would think that robust application security would be a fundamental measure being taken by all health care providers.
However, the stark reality is that mobile application security is still lagging.
Consumers Generally Think Their Apps Are Secure; But, Perception Is Not Reality
Recently published research found that users of mobile health apps and IT decision-makers with insight into the security of mobile health apps feel their mobile apps are adequately secure. In fact, most believe app developers are doing everything they can to protect their health-related apps.
However, perception is not reality! Most health care apps contain significant vulnerabilities. Vulnerability assessments were conducted on 71 mobile health apps in the U.S., U.K., Germany and Japan. The vulnerability assessments were based on the Open Web Application Security Project (OWASP) top 10 mobile risks. OWASP identifies the most critical application security risks facing organizations.
Included among the health apps tested were a sample of health apps approved by the U.S. Food and Drug Administration (FDA). Interestingly, 84 percent of the FDA-approved apps that were tested didn’t adequately address at least two of the OWASP mobile top 10 risks, and 95 percent of those apps lacked binary protection. These vulnerabilities can make applications susceptible to reverse engineering and tampering in addition to increasing the risk of privacy violations and identity theft.
Exposure Is No Surprise
Many companies are not investing in mobile app security. According to the IBM Security and Ponemon Institute research paper “The State of Mobile Application Insecurity,” 50 percent of organizations allocate no budget for mobile security. Perhaps this is why more than half of all respondents felt their apps were likely to be hacked within the next six months.
Even without experiencing cyberattacks on their apps, about 80 percent of health app users would change providers if their apps were known to be vulnerable or if alternative apps that incorporated improved security protection were available. There were more than 3 billion mobile health apps downloaded in 2015 from major app stores, according to “The 2015 mHealth App Developer Economics Study.” If health app users actually knew how vulnerable their apps are, there would be a mass exodus of users fleeing to health care organizations that develop more secure, trusted mobile apps.
What Can Be Done to Improve Application Security?
For Health Care Organizations
- Set your security bar above the regulators. Current FDA guidelines are largely focused on following a process to create secure applications, and they stop short of recommending any security controls that application developers should address to remediate known risks. Consequently, apps approved by trusted sources such as FDA are no more secure than unapproved apps. Organizations should understand and prioritize the business and technical risks that their applications face that could compromise patient safety and/or jeopardize patient information – and ensure that all of these risks, particularly the ones related to the high-risk, mobile elements of their solutions are addressed.
- Strengthen the weakest links.Address elements of the OWASP mobile risks that are being neglected. For example, 79 percent of the apps tested had a transport layer vulnerability and 97 percent lacked binary code protection — the most prevalent security vulnerability identified.
- Make security a competitive advantage.Market the strength of security you offer to attract and retain your customer base.
- Align spending with risks.The mobile insecurity study revealed that security spending is disproportionately allocated based on where there is risk. While the majority of risks are at the application layer, there is relatively little application-focused spending, particularly when compared to the network-focused spending.
- Download apps only from authorized app stores. Most authorized app stores have more rigorous security protocols in place to help ensure apps can be trusted.
- Don’t jailbreak or root mobile devices. Jailbreaking or rooting devices negates critical security measures that are designed to help protect you and your data.
- Demand more transparency about the security of the apps you are using.As the old adage goes, knowledge is power. For example, many foods you purchase are required to be labeled with nutrition information to help you make better-informed decisions. Before you download a mobile app, wouldn’t you want to know what risks you may be opening yourself up to? Become an advocate for app security certification and risk transparency.
For Policymakers and Regulators
- Establish aseal of approval for app security. Require apps to make available an OWASP or similar risk rating for critical apps. Consumers need to know what risks they are accepting before downloading an app. The health care community, including health care providers, medical device manufacturers and others, need to incorporate risk as a fundamental consideration before making app recommendations to patients and app users.
Today, the hackers are beating the healthcare industry, but the FDA and other organizations are making great progress to pull the industry together and drive improved security. Only a concerted and coordinated effort by regulators, healthcare organization, and consumers will change the score. Hopefully, the embarrassment of recent attacks and volume of reports on unaddressed vulnerabilities will enable that to happen soon!