Most healthcare apps have weak security, report finds
A recent assessment of some of the most popular mobile healthcare apps has revealed serious security vulnerabilities across the board. Among them are Covid-tracking apps, of which 85 per cent were found to leak data.
Software firm Intertrust Technologies analysed 100 apps using testing based on the Open Web Application Security Project mobile app security guidelines.
Among the categories evaluated, telemedicine apps as well as health commerce apps were the most vulnerable when it came to high level security issues, a concern given the increased reliance on telemedicine since the pandemic began.
The assessment found that 71 per cent of tested medical apps have at least one high level security vulnerability - defined as high because it can be readily exploited and has the potential for significant damage or loss.
Weak encryption was found in 91 per cent of the apps, putting them at risk of data exposure and intellectual property theft. Data storage is also an issue, with 60 per cent of tested Android apps storing information in SharedPreferences, which leaves unencrypted data readily readable and editable by attackers and malicious apps.
So why are vulnerability issues so common? Bill Horne, VP and GM of Intertrust Secure Systems, tells us it's simply to do with the way the apps are designed. "Much of it has to do with the way the app stores and handles sensitive data. It is important that security best practices be employed during the application design phase. For example, 91 per cent of apps tested had mishandled or weak encryption. But even once the app is past the design phase, many of these issues can be fixed by the developers and security engineers, it’s a matter of time and tools."
A major worry is the discovery that most of the Covid tracking apps tested are not storing people's data safely, at a time when populations are being encouraged to use the tool. "This not something new" Horne says. "A security flaw in Qatar’s contact tracing app potentially exposed the sensitive data of more than one million users, while the Indian government’s contact tracing app initially leaked location data, and the UK’s NHS had to abandon its contact tracing app due to multiple security issues discovered during its trial run. Misconfigured databases, poor encryption, insecure data storage and access are a few reasons why this sensitive data is relatively easy to extract."
For the user, the consequences can be very serious depending on the type of information hackers can get hold of. "Healthcare records and personal information are being sold on the black market for as much as $1000 per record - this is an enormous motivation. For organizations, the consequences are regulatory violations and fines, service disruption, and IP theft. On the consumer end, this means lack of privacy, possible identity theft, even threats to their personal safety if location data is stolen, or if connected device apps are tampered with or data altered."
While it may not be possible for an app to ever be 100 per cent secure, layers of protection can be added that make it too difficult for hackers to access data. "There are numerous security solutions that can help strengthen apps, but everything begins with the internal priorities and approach of organisations" Horne says. "Most organisations still take a very reactive approach towards security. They need to be more proactive. A strong security policy for software development ensures that security best practices are employed from the beginning."
"Additionally, there are products like application protection that protect source code, white-box cryptography solutions that strengthen and protect cryptographic keys, data protection solutions and network security solutions, that when combined, create multiple levels of security to make it really difficult for a hacker to break in."