Alissa Knight, the report’s author and partner at Knight Ink stated, “There will always be vulnerabilities in code so long as humans are writing it. Humans are fallible. But I didn’t expect to find every app I tested to have hard-coded keys and tokens and all of the APIs to be vulnerable to [BOLA] vulnerabilities allowing me to access patient reports, X-rays, pathology reports, and full PHI records in their database. The problem is clearly systemic.”
Risks of Mobile Health Apps: What Does This Mean?
Cybersecurity in the healthcare space has long been a concern, particularly as of late with the rise in use of apps in healthcare. The risks of mobile health apps security found in the analyzed apps point to a larger trend of vulnerable, frequently relied on, technology. For instance, the 30 analyzed apps, on average, have been downloaded 772,619 times. All of these healthcare apps allowed unauthorized access and alteration of PHI including patients’ demographics, photos, and clinical histories, which compromised patients’ security.
Approov Founder and CEO David Stewart stated, “These findings are disappointing but not at all surprising. The fact is that leading developers and their corporate and organizational customers consistently fail to recognize that APIs servicing remote clients such as mobile apps need a new and dedicated security paradigm. Because so few organizations deploy protections for APIs that ensure only genuine mobile app instances can connect to backend servers, these APIs are an open door for threat actors and present a real nightmare for vulnerable organizations and their patients.” Learn more information about HIPAA compliant apps.