The state of mobile healthcare application security
Mobile apps are one of the biggest areas of growth in the healthcare industry. Prior to 2020, the market was growing at more than 20% a year and it is projected to be worth $130 billion by 2022. And that was before the COVID-19 crisis, which has pushed a huge amount of in-person interactions online. In 2019, just 11% of patients used telehealth; in April 2020 the number jumped to 46%.
Given this unprecedented growth in adoption, has healthcare application security kept pace?
To investigate, we analyzed 100 apps (50 each on iOS and Android) encompassing four major categories: telemedicine/patient engagement, health commerce, medical device apps, and COVID-tracking. The in-depth report reveals major weaknesses in mHealth apps across the board. It looks into the most prevalent threats to medical app security and the dangers that they pose.
Download the full report here.
The rise of healthcare apps
Looking at the benefits of healthcare mobile applications, it’s easy to understand their positive trajectory. For patients, it can result in more detailed, personalized, and, in these times of COVID-19, safer, care. They can order prescriptions, check test results, consult with doctors and be monitored remotely, control medical devices such as insulin pumps, and perform other medical tasks—all from their phone or tablet.
For healthcare organizations, the reduced costs of service delivery can make a considerable difference to their bottom line. In the U.S. alone, preventative healthcare apps for diabetes and asthma care, cardiac rehabilitation, and pulmonary rehabilitation are projected to save $7 billion a year in hospital admissions.
However, along with their rise in popularity, comes an increasing risk to healthcare application security. With the wealth of private information these apps contain, coupled with the fact that stolen healthcare records go for the highest prices on the dark web (up to $1,000/each), healthcare apps are a prime target for cybercriminals.
Mobile healthcare application security risks
This is not just speculation. Healthcare organizations are attacked at double the rate of other industries and an increasing number of compromises can be linked to mobile devices. Verizon’s Mobile Security Index 2020: Healthcare Spotlight reported that 38% of healthcare cybersecurity incidents are mobile-related.
While mobile devices and OSes have some built-in safeguards, they are generally not sufficient to prevent hackers from finding and exploiting vulnerabilities and security flaws in mobile healthcare apps. Once in, cybercriminals can steal patient and payment data, lift proprietary algorithms and other IP, locate and extract cryptographic keys, inject malicious code into apps, and even find their way into critical backend systems.
With patient privacy, safety, regulatory compliance, and organizational digital infrastructure all at risk, mobile app security should be a priority for every healthcare organization. Yet, in that same Verizon report, nearly 2/5 of healthcare organizations admitted that the imperative to get an app out took precedence over healthcare application security.
Our own investigations bore this out. Every app tested had at least one basic security issue and the vast majority (71%) contained at least one high-level security flaw. A vulnerability is classified as high if it can be readily exploited and has the potential for significant damage or loss.
What our investigation revealed about mobile healthcare application security
Apps were tested using an array of static and dynamic analysis techniques, in alignment with OWASP mobile security risks, and vulnerabilities were rated according to the CVSS independent international threat classification system. Every Android app we analyzed and 72% of iOS apps contained four or more vulnerabilities, painting a stark picture when it comes to the security of healthcare applications across the board.
Some of the most serious risks to mHealth apps, such as cryptographic weaknesses or poor protection around data storage, were also the most prevalent. Key findings of the report include:
- The vast majority of medical apps (91%) have mishandled and/or weak encryption that puts them at risk for data exposure and IP (intellectual property) theft.
- 34% of Android apps and 28% of iOS apps are vulnerable to encryption key extraction.
- The majority of mHealth apps contain multiple security issues with data storage. For instance, 60% of tested Android apps stored information in SharedPreferences, leaving unencrypted data readily readable and editable by attackers and malicious apps.
- 83% of the high-level threats discovered could have been mitigated using application protection technologies such as code obfuscation, tampering detection, and white-box cryptography.
When drilling down into specific app categories, health commerce apps were the biggest violators by number of vulnerabilities (80% had 7+). Telemedicine had the greatest prevalence of high-risk vulnerabilities (80%). We also found that COVID-tracking apps were relatively less vulnerable than other healthcare apps, with less than 40% containing a high-risk vulnerability. However, a whopping 85% of COVID-tracking apps potentially leak data.
Our 2020 report on global mHealth application security
The full Intertrust Security report on global mHealth apps 2020 is an essential document for anyone involved in the field, from healthcare organizations to the developers and vendors of mHealth apps. Our analysis of threats to medical app security, along with regulatory compliance implications of specific vulnerabilities, will allow teams to understand where the greatest risks are most likely to occur. From there, they can work to mitigate them.
To read the full report on healthcare application security, its vulnerabilities, and areas of improvement, please download it here.