A quick Google search on Threats to Mobile Healthcare Apps shows a bleak reality. Most mobile healthcare apps lack security and are vulnerable to data leakage. In fact, a Knight Ink cybersecurity researcher calls “personal health information the most valuable data on the dark web and says it’s 10 times more the price of a credit card for a single PHI record.”
HIPAA Compliance DOES NOT EQUAL Secure mHealth Apps
Most of the focus on mHealth apps is to ensure that they are HIPAA compliant. The Health Insurance Portability and Accountability Act (HIPAA) is a governmental regulation that settles rules for sharing personal health information and preventing unsanctioned use.
And while mobile security is key to HIPAA compliance, having a HIPAA compliant mHealth app does not mean that you have a secure mobile healthcare app. This is especially true with the rapid increase of Telehealth during the Pandemic. The HIPAA Act is based on two important ideas in patient care: privacy and confidentiality. From a mobile app security perspective, ensuring privacy and confidentiality can be achieved with secure authentication, data-at-rest encryption and data-in-transit encryption. But these security elements alone do not provide comprehensive protection against all threats to mobile healthcare apps.
This is especially true with the rapid increase of Telehealth during the Pandemic. And its use will continue beyond the pandemic because physicians have found that telehealth improves the timeliness of the care they deliver, has improved the health of their patients and improved their own work satisfaction. Ensuring mobile app security is critically important, especially if CISOs in medical organizations want to understand where the threats are coming from.
There are several mobile security benchmarking models. The most popular benchmark is the OWASP Mobile Top 10. Most penetration tests will benchmark and rate the security of a mobile app against OWASP. As we highlighted in a previous blog, Appdome-secured apps, are fully protected against all the OWASP Mobile Top 10 Risks.
Top Threats to Mobile Healthcare Apps
Protecting against the first two threats listed below will help make your mHealth app HIPAA compliant. But it does not protect your mobile healthcare app against all threats.
1. Unauthorized Access
HIPAA requires that patient privacy and confidentially are ensured. The main threats related to privacy and confidentially are unauthorized access to and theft of electronic protected health information (ePHI). Ensuring that only the authorized patient can access the mHealth app, can be achieved with a combination of Multi-Factor Authentication, biometric authentication and/or strong passwords.
2. Theft/Harvesting of Patient Records
As discussed earlier, ePHI records are some of the most valuable data on the dark web, so theft of patient data is one of the biggest threats to mHealth apps. Preventing the loss and/or theft of ePHI data, can best be achieved by encrypting all the patient data stored in the app with AES-256 encryption and ensuring that all communication between the mHealth app and the back-end servers is encrypted using the latest SSL/TLS encryption protocols.
3. Ransomware Attacks
Ransomware attacks are a growing threat to businesses, including healthcare organizations. Last year, the School of Medicine at the University of California San Francisco paid out more than $1.14M after its servers where infected in a ransomware attack. Fraudsters can abuse mobile healthcare apps to gain unauthorized access to backend servers and install malware used as part of a ransomware attack. It is therefore key to fully secure mHealth apps and preempt any fraudulent use of the app.
4. Reverse Engineering
Hackers use techniques such as static and dynamic code analysis to learn how your app functions. With this knowledge, they can attack your app by exploiting your app’s weaknesses and vulnerabilities. Hackers will also use decompilers, disassemblers, and code tracing to exploit valuable information (e.g. credentials, encryption and API keys) found in mobile healthcare app code to harvest and steal sensitive information.
5. Compromised Operating Systems (Jailbreak/Root)
Bad actors will try to install and run the mobile healthcare apps they want to attack on jailbroken or rooted devices. On a jailbroken or rooted device, an attacker has much more control over the underlying operating system, which allows them to launch a much more effective attack.
6. Theft/Harvesting of Network Access Data
While Data-at-Rest encryption will encrypt patient information in the app, it does not necessarily encrypt network access data (such as server address, username and password) that can be used to launch an attack on the healthcare backend server.
7. Network Based Attacks
Encrypting Data-in-Transit with SSL/TLS is the first step in preventing network-based attacks, but it will not stop all Man-in-the-Middle, credential stuffing, API, and other attacks. Only a comprehensive secure communications security model will provide protection against MitM, API, and bot attacks. Hackers could easily install fraudulent WiFi access points near a hospital or healthcare office to launch Man-in-the-Middle attacks on unsuspecting patients and either intercept personal data-in-transit or present patients with a fraudulent WiFi login page and gather personal information that way.
8. Fake Apps
Fake apps are used by fraudsters to trick patients into divulging their username, password, and other valuable personal information. Once the unassuming user has shared their information, fraudsters can use this to gain unauthorized access. Fraudsters can create fake apps by tampering with an original mHealth app and redistributing this app via non-official app stores or they can build a fake app that looks like the real mobile app of a healthcare organization they want to target.
9. Phishing Attacks and Device-Level Malware
Phishing attacks are another popular way fraudsters use to get patients to divulge personal information. Either by sending a text message that tricks people to click on a fraudulent website or to click on a fraudulent link that downloads malware on their device. The malware then scans the device for apps it wants to compromise. A popular device-level malware attack is the use of Remote Access Trojans (RAT), where a fraudster uses a phishing SMS to install a RAT on the device and then use the RAT to remotely access the mobile healthcare app with the intent to harvest ePHI records.
Appdome Stops All Threats to Mobile Healthcare Apps
Using Appdome, healthcare organizations can fully protect their mHealth apps against all types of attack, with a single click. Appdome is a Mobile App Security and Fraud Prevention Platform that uses AI to automatically build security into mobile apps, without the need for coding.
The Appdome platform includes the following security and fraud prevention components:
- ONEShield™ by Appdome hardens the app to protect your IP from attempts to debug, tamper with, or reverse engineer the app.
- TOTALData™ Encryption encrypts data-at-rest, strings, resources, in-app preferences, strings.xml values, and java class dex files with AES-256 encryption.
- TOTALCode Obfuscation obfuscates the binary code, native and non-native libraries, and the app’s flow control and logic.
- Secure Communications protects data at all points that are in-transit against MitM attacks and ensures the validity of all end-points and any intermediate systems in between an app and its backend with secure certificate pinning, mobile client certificates, and more.
- OS Integrity protects the app from operating in unsafe environments, such as on Jailbroken/Rooted devices.
- Mobile Fraud Prevention Protects the app against automated attacks that interact with the mobile app in a fraudulent way (e.g. click bots, Android Debug Bridge attacks, keyloggers, overlay apps) or that use the app in a fraudulent way (e.g. remote access trojans, keyloggers or overlay apps.)
- Mobile Malware Prevention provides local, on-device protection against attacks that are meant to harm the application or/and its users.
- Mobile Piracy Prevention Protects the app from becoming a trojan and prevents fraudsters from creating fakes and mods and from resigning and redistributing the app.
By securing their mHealth apps with Appdome, healthcare organizations can use a non-cascading, multi-layered defense to stop threats to mobile healthcare apps, instantly, without coding.