Digital Therapeutics (DTx) – specialised mobile apps that treat common illnesses and certain chronic diseases by combining behavioural and lifestyle changes with drugs – are becoming increasingly commonplace. Using iOS and Android systems on smartphones and tablets, DTx increases patient access to effective treatments, improves convenience and privacy, and offers meaningful insights and results via mobile apps.
The risk of attacks for digital therapeutics
DTx is streamlining the care process, moving patients away from paper-based systems, and providing digital access to healthcare records. As these interfaces grow in popularity, the quantity and detail of available health data is also rising. However, so too are cyberattacks – and the potential impact of this data falling into the wrong hands can be devastating. The healthcare field is a critical part of social infrastructure, and so patient information, such as images, scans, diagnoses, and medical reports, is a potential goldmine for anyone seeking to maliciously exploit it.
These kinds of cyberattacks are already disrupting everyday operations and compromising confidential patient data. For example, ransomware is often used to attack DTx apps, locking Electronic Health Records (EHR) so they can only be reopened after the ransom has been paid. What’s more, researchers at The Journal of the American Medical Information Association have reported that almost 2% of apps investigated were labelled as suspicious by at least one antivirus tool and are believed to be variants of FakeApp trojans masquerading as legitimate apps.
With cyber risks rising it’s vital that companies know what the top attacks against digital therapeutics apps are and how to solve them.
Tampering with patient data
There are numerous ways that cyber attacks on digital therapeutics apps can lead to significant data breaches and interruptions in digital services. In many instances, attackers input false medical conditions to fool doctors and cause harm to patients. This is achieved by using static and dynamic code analysis, instrumentation, and other tools to understand how an app functions or harvest data.
By incorporating robust defences – such as code obfuscation, anti-tampering, runtime application self-protection (RASP), memory injection prevention, data encryption at rest and in transit, mobile developers can help ensure the integrity of their apps and protect patient data. Trojan attacks
Trojans allow attackers to gain backdoor access to systems that they can use to secretly monitor patients or healthcare professionals or steal sensitive data through. Using various techniques, hackers can pirate DTx apps, making minor changes that leave the illusion of authenticity intact. They can then use these trojans to harvest personal data, perform unwanted browser redirects, and even access credentials.
To combat trojan attacks, developers of digital therapeutics should be implementing strong app hardening solutions and code obfuscation that prevents reverse engineering. In addition, they may consider keylogger prevention and preventing their apps from running on emulators, simulators, or virtualized devices. Enforcing secure communication protocols and, again, strong man-in-the-middle defences will be excellent for protecting data.
Ransomware threats
When it comes to health-related applications, cyber-criminals often exploit or compromise mobile applications to get their hands on sensitive data that can be used to blackmail patients or extort cash payments from the victims or healthcare providers. Protecting all data using strong encryption of data at rest, in transit, and in memory, as well as strings and resources stored in the app bundle can be effective ways of keeping hacker’s hands off the data they seek. In addition, protecting the mobile clipboard, blocking overlay attacks as well as preventing the abuse of Accessibility Services can provide a robust defence against attempts to weaponize DTx apps.
Malware programmes
Android and iOS phones are highly susceptible to malware programmes. Hackers build malware to exploit the applications’ sandboxes, or else to target SD cards, keywords, and other sensitive data – often by jailbreaking or rooting the device to gain superuser or elevated privileges. With this higher level of control, the hacker can launch much more effective attacks against DTx apps.
To prevent such threats and attacks, DTx developers and security professionals should prevent their apps from running on jailbroken or rooted devices, while also blocking advanced rooting and root hiding tools like Magisk, as well as blocking the use of powerful dynamic instrumentation frameworks such as Frida
Data leak and exploit
Patients are at risk of being compromised by DTx apps that could expose their data, such as medications, x-rays, and diagnostics. The most straightforward breach hackers use to access healthcare data is the access login.
Developers should combine data encryption and strong mobile malware defences to prevent keylogging and app overlay attacks. They should also incorporate loss prevention methods, such as preventing copy-paste functions and camera rolls from the app.
Protect customers’ rights to security
Healthcare data is often very intimate, and patients have the right to expect their information to be securely stored on mobile apps. By implementing some or all these recommended defences, developers can ensure that not only are they providing high quality healthcare services, but also that their users are comfortable their data is safe.
Article by Alan Bavosa, the VP Security Products of Appdome
