In this blog post, I’ll cover the implications of the Biden Administration’s workplace vaccine mandate within the context of mobile app security, employee privacy, and enterprise security. And I’ll also offer a set of Mobile App Security Best Practices that enterprises can follow to achieve compliance, secure their mobile apps, and ensure the safety and privacy of both corporate and employee data. This blog will cover several key topics:
- Covid vaccination tracking apps and data protection requirements
- How to deal with mobile malware that targets vaccine tracking apps
- How enterprises can implement a multi-layered defense in a compressed timeframe
What is Biden’s ‘Return to Work’ Vaccine Mandate?
On September 9, 2021, the Biden Administration issued an executive order on requiring Coronavirus Disease Vaccinations for federal employees. And last Thursday, the vaccine mandate was extended to private employers and businesses with more than 100 employees, requiring them to either be vaccinated against COVID-19 or comply with mask requirements and weekly Covid-19 tests. The new vaccine mandate for private enterprises, which is administered by OSHA, requires enterprises to demonstrate compliance by Jan 4 or face stiff penalties of over $13k per infraction.
These mandates and requirements have companies scrambling to put in place systems to track an employee’s vaccination status, to ensure a safe return to work, and to demonstrate compliance with the federal mandates. To meet these needs, there are a plethora of solutions hitting the market, from large companies like ADP, Oracle, Ceridian, SAP, and Workday, as well as startups like Return Safe. Each has introduced mobile app-based solutions to meet the increasingly urgent demands of companies large and small that need to track employees’ Covid status and demonstrate compliance with the mandates.
Sam Grinter, senior principal analyst at Gartner said: “All the big HR vendors have some capability with vaccine surveys and tracking, including ADP, Ceridian, Oracle, SAP, and Workday”.
Demand for tracking solutions has been spiking, according to HR tech execs like David Palmieri, EVP at ADP. He said “We knew that a vaccine survey would be an important consideration for employers this year. Making it mobile for speed of use – mobile use through the app – has been the most common use case so far”.
To that end, ADP added vaccine status tracking and compliance features to their iOS/Android applications, as well as an employee survey about vaccination status, a verification system where employees can upload proof of vaccination and Covid testing results for unvaccinated employees.
Workplace Trends for Covid Verifiers, Vaccine Trackers, and Contact Tracking Apps
There is a clear trend developing where Covid verifier apps, contact tracing, and vaccine status apps – which had been previously targeted at consumers – are now being adopted by small and large businesses. And the Biden mandate has served as a catalyst for such adoption. These include health verifier apps like SMART verifier, Excelsior Pass, and v-Safe which is promoted by the CDC. A coalition has been formed among health IT companies, large software companies, and health providers to develop a SMART Health Card, an interoperable and verifiable vaccine record technology. The list of companies collaborating include Epic Healthcare, Allscripts, Beth Israel, CARIN, Cerner, Change Healthcare, IBM, Mayo Clinic, Meditech, Microsoft, MITRE, Oracle, And several major tech companies, including Salesforce and ServiceNow, are incorporating the SMART health-card system into their internal and enterprise customer systems.
Mobile App Security Best Practices for Enterprises Compliance with Vaccine Mandates
As enterprise IT and Security organizations scramble to source and implement apps and systems to track compliance with vaccine mandates, I thought I would develop a set of Best Practice recommendations for Enterprises to use as a guideline to prioritize and implement protections in their mobile apps – regardless of whether the enterprise develops the application themselves or uses a 3rd party solution like ADP, Oracle, Salesforce, or Return Safe.
At Appdome, one of my roles is to help enterprise customers choose the right mix of security and fraud prevention features and implement them using Appdome’s no-code development platform. In working with Covid vaccine tracking apps, the security requirements are driven by a particular set of needs and problems faced by our customers. Some customers need to protect against malicious reverse engineering, others to comply with internal or external regulations/mandates, or encrypt highly sensitive data handled by the app, to pass a penetration test. And some customers come to us to help them immediately solve an active attack (such as credential stuffing, malware, overlay attacks, or infiltration by malicious botnets). I’ll now walk you through each of the key protection areas and explain why particular security protection is important in the context of Covid-19 vaccine apps. And then I’ll provide a video demonstration of how to implement the required security features into one of the market-leading apps – all without any code or coding.
Protecting Data at Rest and Data In Transit in Covid-19 Vaccine Tracking Apps
So let’s start with Data Protection. To understand why data encryption is important, all you need to do is look at the list of features that Covid Vaccine tracking apps offer, the types of data they collect and store, and the backend systems that these apps communicate with. These apps collect sensitive health information about employees, personally identifiable information (PII), such as DOB, SS #, Home and Work Addresses. They also collect extremely sensitive information about health status, insurance plans, medical providers, medications, and pre-existing conditions. Each of these elements can be used by employers or insurance companies to make decisions about employment, termination, grant or deny treatment or coverage, and more. Not only is this information protected by HIPAA, but it’s also critical to encrypt this data to keep it out of the hands of entities that can use the information maliciously (think ransomware).
We’ve written extensively on how Appdome can make mobile apps HIPAA compliant.
These apps handle data like vaccine-status tracking, testing results, health screenings, case management for employees who test positive for the virus, and contact tracing to alert colleagues who may have been exposed.
It’s also important to protect data in transit, as it travels from mobile apps to backed systems. Many of the enterprise vaccine tracking apps integrate with backend HR systems as well as building access systems so only employees cleared by HR can enter the building. This exposes enterprises to substantial risk in the form of significant expansion of the attack surface and new vectors to infiltrate protected enterprise networks with mobile malware, large-scale automated attacks using botnets, credential stuffing, or even ransomware.
Malware and Overlays Attacks Target Covid Tracking Mobile Apps
Let’s not allow history to repeat itself. Consider that Covid-19 contact tracing apps were a bonafide feeding frenzy for malware during the pandemic. Do a simple Google search on mobile malware and Covid-19 contact tracing apps, and you’ll find hundreds of instances of malware, trojans, and RATs which were specifically designed to either imitate, masquerade or hide inside Covid-19 apps, tricking unsuspecting mobile users into performing harmful actions against themselves inadvertently, or revealing sensitive data because they were tricked by mobile malware.
Given the immense success of malware writers during the pandemic, it’s reasonable to believe that such attacks will make their way into corporate environments using the same techniques. Let’s not forget several facts about mobile malware, in that it constantly evolves and adapts itself to exploit the very environment in which it lives. And malware is usually specifically designed to abuse legitimate app functionality and use deception to spread and escalate privileges.
So with the January 4 deadline is right around the corner, how can enterprises actually pull off a secure rollout of these mobile apps and bring employees back into the office safely, all while complying with the various federal and state vaccine and tracking mandates?
Many of these companies are scrambling to put solutions in place very, very quickly with that deadline looming and we all know according to a wealth of history, when organizations rush apps out the door, mobile app security is typically not top of mind. Fraudsters know this. With that said, no-code mobile app security and fraud prevention solutions like Appdome can help developers and security personnel deliver secure versions of the mobile applications that enterprises need to roll out to comply with the Biden mandates.
To that effect, I created a video demonstration that shows how to implement a comprehensive set of features into the ADP Vaccine Status and HR application.
The video shows how to implement mobile app security features including Code Obfuscation, Data Encryption, Certificate Pinning, Employee Data Privacy protection, malware detection and prevention, as well as protection against malware frameworks, rootkits and jailbreak hiding frameworks, and dynamic instrumentation features used by malware creators and bot-herders to infiltrate enterprise networks.
And once an enterprise has implemented its required security features into the Covid vaccine tracking apps, they can prove compliance using Appdome Certified Secure.
How Enterprises Can Prove Mobile App Security Compliance
Certified Secure is an automated mobile app security certification service designed to help organizations build security and fraud prevention features into mobile apps as part of the SLDC, CI/CD and DevSecOps processes. I have redacted the document and removed specific information to prevent the identification of the mobile application in the report.
Now, of course, not every protection is required for every mobile app. If you’d like to see how your app or a 3rd party vendor’s app can be secured just like you see in the video – I’d be happy to show you personally. You can drop me a line directly at firstname.lastname@example.org or Request a Demo by clicking below.