Mobile health (mHealth) really took off during the pandemic, and once people experienced its ease-of-use, convenience and efficiency, mHealth apps’ popularity continued to grow even after pandemic restrictions were lifted. This growth has raised new cybersecurity and privacy challenges for such apps and the patients that access them.
Health records sell for 50 times more than a credit card number on the black market, according to a report from Trustwave. It stands to reason. Credit card numbers can be cancelled, and accounts have a fixed credit limit. The information in a person’s health record can remain accurate for years, even decades, and it provides a treasure trove of data that can be used to launch many different kinds of fraud over an extended period of time.
With caregivers, doctors and patients increasingly accessing and sharing personal health information via mobile apps, cybercriminals are following the data, redoubling their efforts to attack these apps to get that information. So it’s troubling that many mHealth apps lack basic security features. For example, Alissa Knight, a security researcher and self-described “recovering hacker,” said she commonly finds serious security problems in mHealth apps: vulnerable APIs, hard-coded keys and tokens that allow access to back-end systems, and insecure object-level authorization that gave her complete access to patient records.
Mobile app security is a multi-faceted task, because there are a multitude of methods that cybercriminals use in their attacks. However, in my experience working with mHealth security, the following five attacks are the most common, and protecting against them will go a long way towards ensuring patients’ health information and privacy is not compromised.
Mobile malware, spyware and keyloggers
To ensure mhealth patient privacy and confidentiality, developers and security professionals should guard against unauthorized access to, and theft of, patient data and electronic patient health records and information (EHR) stored locally on the device or in the mobile app. Strong mobile malware defenses must be included to prevent app overlay attacks, keylogging, and data loss such as preventing copy-paste functions from the app, as well as encrypting the app clipboard buffer.
Taking advantage of weak encryption
mHealth apps all have patient data that is stored for at least some period of time on the app itself, and if that data is not properly encrypted, it is vulnerable and privacy can be compromised. All PHI stored on the app must be encrypted to the AES-256 standard with keys that are only available to the app. This requirement for strong encryption extends to semi-persistent areas where mobile apps store data such as the camera roll, preferences, clipboards and strings.
Man-in-the-Middle Attacks
A substantial number of mHealth apps use insecure communications protocols like TLS 1.1 or HTTP when they send or receive data, which means PHI will be transmitted in the clear, making it vulnerable to man-in-the-middle attacks. In these attacks, malicious actors intercept and can even manipulate information in transit. Preventing these kinds of attacks require that minimum TLS standards are enforced and that data is encrypted with SSL/TLS.
Rooted and Jailbroken OS
One of the first steps that many malware programs take is to jailbreak (iOS) or root (Android) the device to gain elevated privileges, which gives them a great deal of control over the device operating system. As a result, they can manipulate file systems, access the application sandbox and SD card and gain control over fundamental app functions, all of which makes it much easier to launch a successful attack. It’s important that mHealth apps be able to detect when they are running on jailbroken or rooted devices, as well as block the use of jailbreak detection bypass tools and advanced rooting tools like Magisk.
Abuse of Static Scanning, Disassemblers and Code Tracing Techniques
Hackers often use techniques such as dynamic binary instrumentation and static and dynamic code analysis to understand how an app works in very fine detail. The information they gain enables them to launch sophisticated, targeted, and highly effective attacks. At a minimum, the app’s code must be properly obfuscated and the app itself must be shielded from malicious tampering and debugging.
There is still a great deal of enormous, untapped potential for mHealth apps to further benefit patients and healthcare organizations. But this beneficial trend will only continue if patients continue to trust the apps’ integrity and security. By protecting against these common attacks, healthcare organizations can make great strides toward protecting their patient’s PHI and securing the future of mHealth apps.
About the author
Karen Hsu is SVP Mobile DevOps & Security Solutions at Appdome. She previously co-founded and served as CEO of BlockchainIntel. She also co-founded the not-for-profit, Blockchain by Women.
