A recent study concluded that many popular mobile health apps pose a risk to protected health information (PHI) security. The study analyzed the security of 30 health apps that allow healthcare providers to review patient charts and schedules, and found that all of them are vulnerable to API cyberattacks. More details on the risks of mobile healthcare apps are discussed.
Risks of Mobile Health Apps: What Did the Study Find?
The study into the risks of mobile health apps security was conducted by Approov, a mobile app API security company, and Knight Ink, a cybersecurity marketing firm. To determine whether or not health apps were putting PHI at risk, the companies reverse-engineered 30 mobile health apps to analyze their static code, and then conducted API penetration testing.
Ok, now that you’re confused, what does that even mean?
Basically, both of these things are done to determine if there are any cybersecurity vulnerabilities within the health apps’ codes or security protections.
So, what did the study find?
- All apps were vulnerable to unauthorized access to ePHI.
- 77% had hard-coded API keys (an API is a unique identifier used to authenticate developers or users). Hard-coding API keys is widely regarded as a security flaw, and therefore is ill advised.
- 50% allowed unauthorized access to clinical results and admissions records.
- 7% had hard-coded user names and passwords. This practice is explicitly advised against as it allows threat actors to easily access login credentials, giving them full access to the health apps’ data.
Alissa Knight, the report’s author and partner at Knight Ink stated, “There will always be vulnerabilities in code so long as humans are writing it. Humans are fallible. But I didn’t expect to find every app I tested to have hard-coded keys and tokens and all of the APIs to be vulnerable to [BOLA] vulnerabilities allowing me to access patient reports, X-rays, pathology reports, and full PHI records in their database. The problem is clearly systemic.”
Risks of Mobile Health Apps: What Does This Mean?
Cybersecurity in the healthcare space has long been a concern, particularly as of late with the rise in use of apps in healthcare. The risks of mobile health apps security found in the analyzed apps point to a larger trend of vulnerable, frequently relied on, technology. For instance, the 30 analyzed apps, on average, have been downloaded 772,619 times. All of these healthcare apps allowed unauthorized access and alteration of PHI including patients’ demographics, photos, and clinical histories, which compromised patients’ security.
Approov Founder and CEO David Stewart stated, “These findings are disappointing but not at all surprising. The fact is that leading developers and their corporate and organizational customers consistently fail to recognize that APIs servicing remote clients such as mobile apps need a new and dedicated security paradigm. Because so few organizations deploy protections for APIs that ensure only genuine mobile app instances can connect to backend servers, these APIs are an open door for threat actors and present a real nightmare for vulnerable organizations and their patients.” Learn more information about HIPAA compliant apps.
