Cybersecurity firm Knight Inc and mobile security company Approov have joined forces to highlight the inadequacies of digital security that most health apps currently have in place. The companies ‘ethically hacked’ 30 mobile health apps to highlight the threats they face through application program interfaces (APIs) - which Approov Founder and CEO David Stewart explained are the communication channels between a mobile app and a cloud service, physical server or hospital infrastructure. APIs allow mobile phones to access X-rays, pathology reports and allergy data.
The problem is systemic
In a report titled All That We Let In, the firms noted that all 30 of the apps involved in the study were vulnerable to API attacks. The study also revealed that some of the apps even allowed access to electronic health records (EHRs). Collectively, the 30 apps expose 23 million mobile health users to attacks, Knight reported.
Commenting on her findings, Alissa Knight, researcher and author of the report, said: “Look, let’s point the pink elephant out in the room. There will always be vulnerabilities in code so long as humans are writing it. Humans are fallible. But I didn’t expect to find every app I tested to have hard-coded keys and tokens and all of the APIs to be vulnerable to broken object level authorization (BOLA) vulnerabilities allowing me to access patient reports, X-rays, pathology reports, and full PHI records in their database. The problem is clearly systemic.”
Protecting patient data from API attacks
Approov’s Stewart added: “These findings are disappointing but not at all surprising. The fact is that leading developers and their corporate and organisational customers consistently fail to recognise that APIs servicing remote clients such as mobile apps need a new and dedicated security paradigm.
“Because so few organisations deploy protections for APIs that ensure only genuine mobile app instances can connect to backend servers, these APIs are an open door for threat actors and present a real nightmare for vulnerable organisations and their patients.”
With the surge in mHealth usage – including telehealth platforms being implemented by international insurers and assistance providers – there needs to be comprehensive protection in place to ensure that individuals’ (patients, employees, etc.) health data is not at the risk of being breached – as Knight points out, personal health data is the most valuable form of data on the dark web.
As such, organisations that have implemented digital health apps and similar platforms into their operations are advised to address both app security and API security through myriad ways identified in the published report.
In February, French health insurance company Mutuelle Nationale des Hospitalier was hit by a ransomware attack that disrupted the company's healthcare operations.