In today’s digital age, patient data is an invaluable commodity to threat actors — the steadily rising number of cyberattacks and data breaches targeting the health care industry is proof. Strangely enough, many mobile health (mHealth) app developers don’t consider end-to-end encryption a priority.
Many mHealth apps in use today store and transmit user details — much of which is considered protected health information in other contexts — unencrypted. Hackers are beginning to realize this, prompting them to focus on apps instead of hospitals. What can information technology (IT) teams do to ensure data is adequately encrypted?
1. Address Encryption Early on in Development
Encryption shouldn’t be a second thought. However, many developers don’t even consider the basics. One study discovered up to 23% of mHealth apps transmitted user data unencrypted on Hypertext Transfer Protocol (HTTP) traffic, making information like service set identifier, device ID, global positioning system data and contact details vulnerable to hackers.
Developers should address encryption early in their design and development phase instead of rolling out updates after release and letting things play out in a live environment. Since their reputation, app integrity and patient data are at stake, they shouldn’t consider tweaking and patching as they go an option.
2. Don’t Use Obsolete Encryption Algorithms
As computer and data storage systems have advanced, so has cryptography. Deprecated encryption standards — obsolete cryptographic algorithms — like the Data Encryption Standard, Triple Data Encryption Algorithm and Message Digest 5 are no longer secure. IT professionals should avoid them because they have known weaknesses or vulnerabilities.
3. Consider HIPAA-Compliant Encryption
HIPAA only applies to health care providers and vendors. Even though mHealth apps often collect much of the same medical information, they aren’t subject to the same privacy and data security laws — at least for now. Technically, developers don’t legally have to leverage encryption.
However, since the mHealth market is set to expand significantly — it will reach $332.7 billion in 2025 — agencies like the Department of Health and Human Services or the FDA may regulate it sooner rather than later.
Developers should consider aligning their apps with today’s data privacy standards and regulations to stay ahead of any future regulatory changes. After all, using HIPAA as a guideline is one of the encryption best practices. Besides, compliance protects companies from potential legal action and secures user information.
4. Keep Communication Protocol Encrypted
Hypertext Transfer Protocol Secure (HTTPS) is the protected version of HTTP. It encrypts the communications between an application and server, mitigating man-in-the-middle attacks. It’s one of the easiest encryption best practices to follow, so there’s little reason not to leverage it. Besides, opting for HTTP may drive users away. Their firewall may even block the app entirely.
HTTPS is typically required for apps submitted to the App Store or Google Play Store. IT teams should remove any exceptions allowing unnecessary HTTP connections and ensure their apps only communicate with servers they trust. The rest of the process is more complex but doable even for those with less development knowledge.
5. Select the Right Encryption Algorithm
Symmetric encryption uses the same key to encrypt and decrypt data. Advanced encryption standard (AES) is considered the standard. Asymmetric encryption is the alternative. It uses one public and one private key. Rivest Shamir Adleman (RSA) is one of the more common examples. Although it’s more secure, it is slower — and setting it up is more complex.
Developers who are unsure whether to use AES or RSA should consult the International Organization for Standardization or the National Institute of Standards and Technology. These institutions have extensive guides, tips and best practices on encryption, which should make the decision easier.
6. Opt for End-to-End Encryption
Patient data should be encrypted at rest and in transit to prevent hackers from viewing, tampering or exfiltrating it while in storage or during transmission. Leveraging end-to-end encryption is one of the best practices mHealth app developers can prioritize because it keeps information safe. This way, only those with decryption keys have access.
7. Test and Audit Encryption Before Going Live
Considering about 47.7% of people use at least one health app, the average mHealth app is bound to get a decent amount of downloads and traffic. In other words, slowly rolling out patches in a live environment may create issues faster than a single developer can deal with, putting users’ information at risk of a leak or breach.
IT professionals should fully test the functionality of their encryption method before giving it the green light. Fixing any errors or vulnerabilities in the app’s encryption configuration, logic, or code early on is one of the best encryption practices. Techniques like vulnerability scans and penetration testing may streamline the process.
8. Avoid Embedding the Keys in the App Code
Cryptographic keys allow someone to decrypt ciphertext. If a threat actor gets ahold of one, they — and whoever is willing to pay them — can access every shred of sensitive data. For this reason, hardcoding or embedding cryptographic keys into the app’s code is a bad idea, as it makes them vulnerable to extraction or reverse engineering.
Encryption Requires an Ongoing Effort
As cryptographic algorithms become obsolete and hackers’ tools become more sophisticated, developers will need to address their encryption strategy again. Consistent auditing, testing and updating will take time and effort, but peace of mind is worth it when the alternative is a data breach or a cyberattack.
By Zac Amos, rehack.com