COVID-19 has caused widespread change, some of which will definitely outlast the pandemic itself.
Many were forced to change how they work, shop, travel, study, and socialize. Some of these shifts seem to have stuck long-term.
For example, Microsoft is now giving many employees the option to work from home permanently.
Many people have been speculating on which industries will go completely digital, adopt more virtual aspects, or fade out entirely.
There has been a lot of buzz about healthcare going virtual via apps too. However, there are some major roadblocks when it comes to the app-takeover of healthcare.
A Widespread Security Nightmare
A study by the pioneer in digital rights management (DRM) technology and leading provider of application security solutions, Intertrust, shows that the majority of healthcare apps have fatal security flaws.
This includes Android and iOS apps and was widespread across covid-tracking apps at the height of the pandemic.
However, the number of apps in this market have surged over the past few years and address everything from sleep tracking to connecting with physicians.
In order to compile its Security report on global mental health apps, Intertrust analyzed 100 applications using OWASP-aligned static and dynamic analysis techniques. They explored 50 Android applications and 50 iOS applications. This analysis included four key areas in healthcare. It covered telemedicine/patient engagement, health commerce, medical device apps, and COVID tracking.
Out of the 50 apps tested, all 50 had at least one low-level security flaw.
More alarmingly, 71% had at least one high-level security flaw as well. Every Android app they looked at and over 70% of iOS apps had four or more privacy-compromising issues.
More Alarming Findings
In over 90% of apps, these issues are due to weak or poorly handled encryption. This means that when you use these apps, you are at a high risk of your data being stolen or leaked. Around 30% of Android and iOS healthcare apps are vulnerable to key extraction.
Health commerce apps were found to have the most structural flaws of all of the apps tested. 80% of the tested health commerce apps had more than seven security vulnerabilities.
However, telemedicine apps were found to have the most high-level security issues. These are apps people use to find and speak with a variety of healthcare providers.
A Lot of these Apps Have Huge Cryptographic Issues
Major cryptographic issues were found in almost every app tested. 91% of the apps in the study failed one or more cryptographic tests. This sounds alarming, but what exactly does this mean?
Essentially, the encryption used in these medical apps is easy for hackers to break.
This means, there is huge potential for cybercriminals to expose confidential patient data. Attackers can then tamper with reported data, send commands to connected medical devices, and do even more harm.
This is especially alarming when it comes to the fact that these apps often contain private vital health information. And Android apps had worse issues than iOS apps.
60% of the tested Android apps stored information in SharedPreferences. This leaves users’ unencrypted data easily readable and editable by cybercriminals and malicious apps.
Why Are Many of These Apps So Flawed?
In many cases, when there are high-profile app issues, it comes down to the applications themselves being created in a rush.
Remember when the failure of the Iowa Caucus App dominated the news cycle?
While there was a complex web of events (and many even felt a conspiracy) surrounding that particular failure, one simple fact is truly undeniable:
When you try to create an app too quickly, you are setting yourself up for failure.
In fact, even if you take your time and do everything correctly, sometimes there can still be issues.
When the mobile mental health app craze started, UK Healthcare provider Babylon reported a data breach of its GP video appointment app.
However, they were on top of it, and able to correct it within a few hours.
The fact that so many other apps are being released and widely used globally with glaring security holes means that either some mobile healthcare providers do not know, or do not care that their apps are faulty.
The Pandemic Put Pressure On Healthcare Providers and Accelerated the Spread of these Apps
It’s likely that the desire to release these apps quickly trumps everything else, and that many of these apps have not been properly tested and tweaked before release.
In fact, data from Verizon shows that 40% of healthcare organizations prioritize time-to-market over any application security concerns.
COVID placed heavy demands and incredible pressure on healthcare systems around the world. In the rush to alleviate and correct this with apps. The demand for them spiked and it appears that security concerns have taken a back seat.
However, even as the height of the pandemic has passed, many of these apps are still quite problematic. Mental health apps especially are still infamous for their widespread security issues.
Also, a report from the end of last year shows that security issues are a huge problem with many cloud-based apps, which many healthcare apps are. However, despite these issues, the mobile healthcare sector still depends on the cloud for many of its apps.
“Unfortunately, there’s been a history of security vulnerabilities in the healthcare and medical space. Things are getting a lot better, but we still have a lot of work to do.” Bill Horne, General Manager of the Secure Systems product group and Chief Technology Officer at Intertrust told SecurityMagazine. “The good news is that application protection strategies and technologies can help healthcare organizations bring the security of their apps up to speed.”
It All Adds Up to Big Problems
Especially Americans, who have to deal with a notoriously expensive and inefficient healthcare system, desperately need help. For many of the people who need healthcare the most, it is simply not possible to access it. That is why there is a huge demand for tech to intervene.
It makes sense that app creators and healthcare companies want to release these apps as quickly as possible. They want to exploit this market and join the fray as soon as they can.
Unfortunately, this has created a widescale security nightmare and cybercriminals have been quick to take full advantage of it.
Data theft groups are targeting Patient-generated health data (PGHD) with a variety of tactics.
This includes code injections / SQL injections, errors, and even cross-site scripting.
Hackers are also using social engineering and corporate hacking through ransomware viruses to take advantage of people and steal their data.
Final Thoughts on Healthcare Apps and Their Security Issues
Healthcare apps are going to be a key part of the future of medicine, but it appears these apps still need a lot of work.
Further investigation needs to be conducted into these apps so that the full scope of the problem can be realized and corrections can be made. This will be critical as we move forward with them.
Likely, as we progress out of this chaotic time and these apps become more normalized in usage, they will be improved in many ways.
Healthcare apps can truly benefit people in many ways. Many patients with limited mobility or without reliable transportation, amongst others, could benefit greatly from being about to have a video call with healthcare providers.
Of course, these apps are important and will provide a very necessary service to people around the world. However, it cannot be denied that they still have some big security issues.
It’s important to remember that rocky starts are common at the early stages of any big wave of innovation. However, it is also important to remember that releasing apps quickly, without the proper testing, is never a good idea.
What do you think? Comment below.
Since 2009, we have helped create 350+ next-generation apps for startups, Fortune 500s, growing businesses, and non-profits from around the globe. Think Partner, Not Agency.
Find us on social at #MakeItApp’n®
