Your new post is loading...
A recent study concluded that many popular mobile health apps pose a risk to protected health information (PHI) security.
The study analyzed the security of 30 health apps that allow healthcare providers to review patient charts and schedules and found that all of them are vulnerable to API cyberattacks. More details on the risks of mobile health apps are discussed.
Risks of Mobile Health Apps: What Did the Study Find?
The study into the risks of mobile health apps security was conducted by Approov, a mobile app API security company, and Knight Ink, a cybersecurity marketing firm.
To determine whether or not health apps were putting PHI at risk, the companies reverse-engineered 30 mobile health apps to analyze their static code, and then conducted API penetration testing.
Ok, now that you’re confused, what does that even mean?
Basically, both of these things are done to determine if there are any cybersecurity vulnerabilities within the health apps’ codes or security protections.
So, what did the study find?
- All apps were vulnerable to unauthorized access to ePHI.
- 77% had hard-coded API keys (an API is a unique identifier used to authenticate developers or users). Hard-coding API keys is widely regarded as a security flaw, and therefore is ill advised.
- 50% allowed unauthorized access to clinical results and admissions records.
- 7% had hard-coded user names and passwords. This practice is explicitly advised against as it allows threat actors to easily access login credentials, giving them full access to the health apps’ data.
Alissa Knight, the report’s author and partner at Knight Ink stated, “There will always be vulnerabilities in code so long as humans are writing it. Humans are fallible.
But I didn’t expect to find every app I tested to have hard-coded keys and tokens and all of the APIs to be vulnerable to [BOLA] vulnerabilities allowing me to access patient reports, X-rays, pathology reports, and full PHI records in their database. The problem is clearly systemic.”
Risks of Mobile Health Apps: What Does This Mean?
Cybersecurity in the healthcare space has long been a concern, particularly as of late with the rise in use of software applications in healthcare.
The risks of mobile health apps security found in the analyzed apps point to a larger trend of vulnerable, frequently relied on, technology.
For instance, the 30 analyzed apps, on average, have been downloaded 772,619 times. All of these apps allowed unauthorized access and alteration of PHI including patients’ demographics, photos, and clinical histories.
