By Pavel Novik
In the present turbulent situation, many industries are experiencing difficulties with adapting to the ever-changing situation. However, this is not the case with mobile healthcare and medical mobile apps in particular. According to a recent report by Research and Markets, the global medical app market that hit $4.2bn in 2020 is to skyrocket to $20.7bn by 2027, racing at a CAGR of 25.5%.
So does it mean there’s no need to worry? Unfortunately, there is a sore point here. Though App Store, Google Play, and other app marketplaces are seeing an influx of new health mobile apps, the security of such tools leaves much to be desired in the majority of cases.
To prove this point, Intertrust analyzed 100 iOS and Android healthcare apps from proprietary stores. The analysis lead to a depressing conclusion: 85% of COVID-related apps leak data, and 91% of them have under-level encryption, which may expose personal data. But how is this possible given the budgets and efforts that providers spend on ensuring medical app security?
What’s the trouble?
Healthcare app security is like the last piece of a delicious cake guests are too full to eat. Providers leave security to vendors who do their job with full-scale security assurance, hoping consumers will be reasonable to observe some good practices as well. As a result, providers are left with apps that are only conditionally secure.
To change the situation, it’s necessary to take some precautions. Luckily, such prevention measures don’t typically involve any extra IT security training but boil down to knowing the security basics and specifics of healthcare IT.
Below is a short overview of the key healthcare app security practices.
Medical app quality assurance (QA)
This practice involves multiple types of mobile testing, each of them solving a particular task. Noteworthy is the fact that medical QA involves both regular testing tasks and specific medical app testing efforts.
Among the regular tasks are functional testing, performance testing that makes sure the app runs swiftly and doesn’t crash, and connectivity testing to check how it handles shifts in the network conditions. These efforts are common for the majority of mobile apps regardless of the industry they cater to.
Medical app security testing
Security testing is not only about professional knowledge and expertise. If providers take a quick look at its basics, they may help security experts address a potential loophole faster. So what are the key points?
First of all, for medical apps, danger comes from three major types of malicious actors. These may be plain hackers, man-in-the-middle (MITM) actors, and the so-called social engineers. So how to fight them off? With the first two groups, the best strategy is to have qualified security experts involved. As these attacks involve code, operating without any professional knowledge might be fruitless. However, with social engineers the situation is different.
Unlike tech-savvy hackers and MITM actors, social engineers try to get to a patient’s data by applying psychological tricks. Using more subtle methods, such actors may orchestrate spear phishing, which targets a particular individual via phishing, or fraudware. In this case, the actors try to manipulate a user and make them download malware sold as a critical protective app.
Knowing about such attacks, providers may inform their employees and encourage them to spread the word among their patients. This effort may allow providers to prevent the attack at its onset. From the tech perspective, the main protection measure is multifactor authentication. This way, a malicious actor won’t get into the system even if they have a user’s credentials.
As for security testing per se, it usually involves two steps—scanning for vulnerabilities and penetration testing. To put it simply, security experts analyze the app to find weak links that malicious actors may exploit and then try to break in using the discovered loopholes. These mock attacks aren’t dangerous. They help providers improve app security timely, thus ensuring attack prevention.
Cloud security testing
Surprisingly, this point often escapes providers’ attention. Somehow, providers tend to believe that if patient-facing security testing is complete, the app is bulletproof. However, to be on the safe side, additional cloud security testing is required.
The first point in cloud security is end-to-end encryption that PHI on the way to the cloud and back. With the encryption in place, patients’ data stays protected even if hackers manage to gain access to it during the transmission. Encrypted personal data is nothing but meaningless code.
Secondly, cloud applications suffer from specific security threats, service hijacking and side-channel attacks being just some of them. While the former resembles phishing, as malicious actors get into the cloud using a legit user’s credentials, the latter is unique to cloud environments. Preventing side-channel attacks requires a great deal of expertise. The problem is, hackers may exploit not only an app’s vulnerabilities but also its features and other specifics, from shared cache memory (LLC) to power use fluctuations. Therefore, expert-level prevention measures are needed.
Prevention tips for providers
Ensuring mobile medical app security is not a one-time effort. Malicious actors grow more cunning and devious, so the security shields providers put up may turn useless with time. To prevent potential data exposure, providers need to employ trusted security professionals to have their tools tested regularly.
In fact, penetration testing and vulnerability scanning fully justify their costs. Security experts not only detect vulnerable points but also provide tips for bringing the app security up to speed with the latest prevention techniques.
As we can see, the most pervasive types of attacks exploit users’ credentials. Therefore, there’s yet another useful prevention measure: educating employees and patients. This effort doesn’t require lengthy security training. For employees, just a couple of workshops with security specialists speaking on major threats and best prevention practices will do.
As for patient education, a brochure with secure app use recommendations and brief conversations with their clinicians should be enough.
Wrapping it up
Security experts, however qualified, can’t ensure healthcare app security alone. Providers need to step in to learn about potential dangers and facilitate their prevention whenever they can.
Luckily, preventing mobile medical app threats doesn’t require any programming or testing expertise from providers. It’s all about the awareness, continuous monitoring, and informed decision-making, which is only possible when providers are on the same page with their app vendors.
Pavel Novik is QA Unit Manager and the Head of the Mobile Testing Center of Excellence at a1qa.