Healthcare Apps Have Big Problems
Isadora Teich wrote this article
COVID-19 is causing widespread change, some of which will definitely outlast the pandemic itself. We have been forced to change how we work, shop, travel, study, and socialize for now, but some of these shifts are already sticking to embrace a more digital world.
For example, Microsoft is now giving many employees the option to work from home permanently.
Many people have been speculating on which industries will go completely digital, adopt more virtual aspects, or fade out entirely.
There has been a lot of buzz about healthcare going virtual via apps. However, there are some major roadblocks when it comes to the app-takeover of healthcare.
A Widespread Security Nightmare
A recent study by the pioneer in digital rights management (DRM) technology and leading provider of application security solutions, Intertrust, shows that the majority of healthcare apps have fatal security flaws.
This includes both Android and iOS apps.
Alarmingly, it is also widespread in COVID-tracking apps.
In order to compile its Security report on global mHealth apps 2020, Intertrust analyzed 100 applications using OWASP-aligned static and dynamic analysis techniques. They explored 50 Android applications and 50 iOS applications. This analysis included four key areas in healthcare. It covered telemedicine/patient engagement, health commerce, medical device apps, and COVID tracking.
What They Found
Out of the 50 apps tested, all 50 had at least one low-level security flaw.
More alarmingly, 71% had at least one high-level security flaw as well. Every Android app they looked at and over 70% of iOS apps had four or more privacy-compromising issues.
In over 90% of apps, these issues are due to weak or poorly handled encryption. This means that when you use these apps, you are at a high risk of your data being stolen or leaked. Around 30% of Android and iOS healthcare apps are vulnerable to key extraction.
Different types of apps were found to have different weaknesses.
For example, the tested COVID tracking apps were found to be especially poorly constructed. 85% of them were found to leak data. Health commerce apps were found to have the most structural flaws. 80% of the tested heath commerce apps had more than seven security vulnerabilities.
However, telemedicine apps were found to have the most high-level security issues.
Major Cryptographic Issues
Widespread cryptographic issues were found in almost every app tested. with 91% of the apps in the study failed one or more cryptographic tests. So, what does this mean?
Essentially, the encryption used in these medical apps is easy for hackers to break.
This means, there is huge potential for cybercriminals to expose confidential patient data. Attackers can then tamper with reported data, send commands to connected medical devices, and do even more harm.
An Android-Specific Issue
While the vast majority of the apps tested by Intertrust were found to have issues with how they store data, many Android apps had a glaring problem.
60% of the tested Android apps stored information in SharedPreferences. This leaves users’ unencrypted data easily readable and editable by cybercriminals and malicious apps.
Why Are These Apps So Flawed?
In many cases, when there are high profile app issues, it comes down to the applications themselves being created in a rush.
Remember when the failure of the Iowa Caucus App dominated the news cycle? We explored it in a blog post.
While there was a complex web of events (and many even felt a conspiracy) surrounding that particular failure, one simple fact is truly undeniable:
When you try to create an app too quickly, you are setting yourself up for failure.
In fact, even if you take your time and do everything correctly, sometimes there can still be issues.
This summer, UK Healthcare provider Babylon reported a data breach of its GP video appointment app. However, they were on top of it, and able to correct it within a few hours.
The fact that so many other apps are being released and widely used globally with glaring security holes means that either healthcare providers do not know, or do not care that their apps are faulty.
It is likely that the desire to release them trumps everything else, and that many of these apps have not been properly tested and tweaked before release. In fact, data from Verizon shows that 40% of healthcare organizations prioritize time-to-market over any application security concerns.COVID has placed heavy demands and incredible pressure on healthcare systems around the world. In the rush to alleviate and correct this with apps, it appears that security concerns have taken a back seat. Click To Tweet
“Unfortunately, there’s been a history of security vulnerabilities in the healthcare and medical space. Things are getting a lot better, but we still have a lot of work to do.” Bill Horne, General Manager of the Secure Systems product group and Chief Technology Officer at Intertrust told SecurityMagazine. “The good news is that application protection strategies and technologies can help healthcare organizations bring the security of their apps up to speed.”
A Perfect Storm
People want the safety of apps due to social distancing guidelines, the global healthcare system needs help, and app creators and health companies want to get them out as quickly as possible.
Unfortunately, this has created a widescale security nightmare and cybercriminals are quick to exploit it.
Data theft groups are targeting Patient-generated health data (PGHD) with a variety of tactics.
This includes code injections / SQL injections, errors, and even cross-site scripting.
Hackers are also using social engineering and corporate hacking through ransomware viruses to take advantage of people and steal their data.
Healthtech is going to be a key part of the future of medicine, but it appears these apps still need a lot of work.
Further investigation needs to be conducted into these apps, so that the full scope of the problem can be realized and corrections can be made. This will be critical as we move forward even beyond Covid19.
Likely, as we progress out of this chaotic time and these apps become more normalized in usage, they will be improved in many ways.
Rocky starts are common at the early stages of any big wave of innovation, after all.
What do you think about all this? Talk to me.
About ChopDawg.com: Since 2009, we have helped create 350+ next-generation apps for startups, Fortune 500s, growing businesses, and non-profits from around the globe. Think Partner, Not Agency.
Follow us on Twitter
Like us on Facebook
Double tap us at Instagram
Connect with us on LinkedIn
Find us on social at #MakeItAppn®