Mobile health (mHealth) is the top trend in healthcare and for good reason. mHealth provides for more care options, improved safety in the pandemic, and higher quality of care across the care continuum. Because of mHealth apps, patients and healthcare providers alike engage in the bi-directional care process 24x7x365 right from their mobile devices.
At the center of the pandemic, the necessity and popularity of using mobile applications for healthcare have grown significantly. This growth has raised new cybersecurity challenges for mHealth apps and the patients that access them. In this blog, we will cover the top 5 cyber attacks that target patient privacy in mHealth apps and how to solve them.
The Challenge and Reality of Protecting mHealth Apps
As more healthcare providers provide mHealth options for patients, they also must accept and contend with the fact that the core of sensitive patient and health data now resides on mobile apps. Patients, doctors, and caregivers are using and sharing personal health information in new and innovative ways via mobile apps, including consultations, lab results, diagnosis, doctor collaboration, and more. This raises new challenges for health & wellness providers on how to protect this new mobile source and store patient and health data, satisfy regulatory requirements, patient privacy, and more.
In her mHealth vulnerability research campaign, “Recovering hacker” Alissa Knight calls personal health information the most valuable data on the dark web. Knight’s cybersecurity research revealed in the HIPAA Journal: “I didn’t expect to find every app I tested to have hard-coded keys and tokens and all of the APIs to be vulnerable to broken object-level authorization (BOLA) vulnerabilities allowing me to access patient reports, X-rays, pathology reports, and full PHI records in their database.” But it did, and often it does. That’s why I’m writing this blog.
Patient Privacy Sits at the Core of Protecting mHealth Apps
Patient privacy is the patient’s right to keep their medical and health information and patient records private. Patients need to be able to trust their medical providers to protect the information shared in confidence via any and every medium used by the healthcare provider, including mobile apps.
The right to privacy comes from the principle of respect for patient autonomy, based on the individual’s right to manage and control their lives as they choose. The patient is the only decision-maker on how, when, and what health information to share with others.
Protecting patient privacy is essential to building trust in the medical system and the delivery of good patient care. Patients will only be willing to share complete and accurate information with their doctors if they have the confidence that their information is safe and protected.
That’s why I’m writing this blog.
Healthcare Cybersecurity Checklist- Top 5 Attacks that Target Patient Privacy in mHealth Apps
Top 5 Cyber Attacks that Target Patient Privacy in mHealth Apps
Now, without further ado, here are the top 5 cyber attacks that target patient privacy in mHealth apps and how to solve them.
Spyware, Keyloggers, and Mobile Malware That Target Patient Data in mHealth Apps
To ensure mobile patient privacy and confidentiality, developers and security professionals should guard against unauthorized access to, and theft of, patient data and electronic patient health records and information (EHR) stored locally on the device or in the mobile app. Perhaps the easiest way to do this would be ensuring that only the authorized patient can access his or her records via the mHealth app. This can be achieved with a combination of proper authentication for mHealth Apps, and strong mobile malware defenses that prevent app overlay attacks, prevent keylogging, and data loss prevention measures such as preventing copy-paste functions from the app, as well as encrypting the app clipboard.
Exploiting Encryption Vulnerabilities in mHealth Apps
Patient data exists at every level and at every point of interaction in a mHealth app – from what the patient enters, downloads, uploads, receives, sends, or records – all actions in a mHealth mobile app produce and store data locally that can be exploited if not properly protected. For example, taking a picture of a condition meant solely for diagnosis by a doctor can leave a trace in the device camera roll, completely open to exploits from malicious malware on the device. Ensuring that all mobile patient data and information stored locally is encrypted at rest with keys available only to the app is critical to protecting this data. In addition, encrypting semi-persistent areas that mobile applications use to store data such as strings, in-app preferences, camera rolls, and clipboards are also critical parts of the proper defense of a mHealth app.
Man-in-the-Middle Attacks on mHealth Apps
When a mHealth app sends and receives data to/from mHealth patients, the communication protocol used is extremely important. Using insecure communication protocols (like HTTP, and TLS 1.1) leaves the mobile patient data in transit in the clear and vulnerable to man-in-the-middle attacks. To prevent and stop this class of attack, developers and security professionals should, at a minimum, enforce secure communication protocols for all connections made to/from the apps. Secure communication protocols encrypt data-in-transit with SSL/TLS and strong Man-in-the-Middle defenses ensure minimum TLS standards are enforced. Without these protections, hackers could easily lure victims to fraudulent WiFi access points to launch Man-in-the-Middle attacks on unsuspecting patients and either intercept personal data-in-transit or present patients with a fraudulent WiFi login page and gather personal information that way.
Compromised operating systems (Root/Jailbreak)
Malware programs can invade either Android or iOS phones easily. When that happens, malware is often built to take the easiest path to exploit data stored in the application sandbox or SD card, keywords, and other sensitive data – namely, by jailbreaking or rooting the device to gain superuser or elevated privileges. On a jailbroken or rooted device, an attacker has much more control over the underlying operating system, file system and any app running on the device, all of which allows them to launch much more effective attacks against the mHealth app. To prevent this class of attack, mHealth developers and security professionals should prevent the mHealth app from running on jailbroken or rooted devices, including blocking advanced rooting and root hiding tools like Magisk.
Exploiting Weak Obfuscation & RASP protections to Harvest, Extract & Steal Patient Data in mHealth apps
Hackers use techniques such as static and dynamic code analysis, dynamic binary instrumentation, and other tools to learn how your app functions and behaves, invoke or hook function and method calls, to extract data from the app or the from the back-end, or to change the behavior of the app by injecting malicious code. I’ll cover these more sophisticated attacks in detail in another blog (when we discuss what happens with attackers weaponizing mHealth apps). For now, just know that the hackers can use static scanning tools, disassemblers, and code tracing to gather valuable information (e.g. user credentials, API endpoints, keys, etc.) found in mobile healthcare app code. These methods can be used simply to harvest and steal sensitive information or prepare broader attacks such as credential stuffing and other attacks on mobile health systems. To prevent these attacks, developers of mHealth apps and security professionals should at a minimum implement code obfuscation, app shielding (to prevent tampering and malicious debugging, and other measures) to ensure the integrity of the mHealth app.
I am a big user of health apps and care deeply about privacy both as a user and as a cybersecurity professional. People use apps all the time and they expect to keep their private data.. well…..private ;). I’d love to help you protect the privacy of the patients that use your mobile health app and overcome the cyber security challenges you are facing. Please reach out to us for a demo!