71% Of Healthcare Medical Apps Have A Serious Vulnerability; 91% Fail Crypto Tests
by Sudipto Ghosh
There has been a colossal rise of medical apps in the last 12 months or so. Today, mobile users rely on medical apps on their iOS and Androids devices to track and manage their health, fitness and medical history. The COVID-19 pandemic has provided a huge impetus to the global mobile healthcare market in 2020,
enabling app developers, app owners and healthcare providers with a huge opportunity to stay connected with the end-users — the patients and fitness enthusiasts. But, like all mobile applications, medical apps face serious threats from cyber criminals and data hackers who target devices / users in the telehealth, medical device, health commerce, and COVID-tracking segments. Data theft groups are targeting Patient-generated health data (PGHD) with code injections / SQL injections, errors and cross-site scripting. Social engineering and corporate hacking through ransomware viruses during this vulnerable lockdown period is also on the rise.
Telehealth, Medical Device, Health Commerce, and COVID-Tracking at All-time High Risk
In a recent annual security report of 100 top Android and iOS healthcare applications, Intertrust has revealed serious cryptographic vulnerabilities, data leakage, and other security breaches—showing the industry needs to do far better given the massive transition to remote healthcare in the wake of COVID-19 lockdowns. Intertrust, the pioneer in digital rights management (DRM) technology and leading provider of application security solutions, released their 2020 Security Report on Global mHealth Apps today, revealing that 71% of healthcare and medical apps have at least one serious vulnerability that could lead to a breach of medical data. The report investigated 100 publicly available global mobile healthcare apps across a range of categories—including telehealth, medical device, health commerce, and COVID-tracking—to uncover the most critical mHealth app threats.
Patient-Generated Health Data at Highest Risk of Cryptographic Test Failure
Cryptographic issues pose one of the most pervasive and serious threats, with 91% of the apps in the study failing one or more cryptographic tests. This means the encryption used in these medical apps can be easily broken by cybercriminals, potentially exposing confidential PGHD, and enabling attackers to tamper with reported data, send illegitimate commands to connected medical devices, or otherwise use the application for malicious purposes. The study’s overall findings suggest that the push to reshape care delivery under the COVID-19 has often come at the expense of mobile application security.
“Unfortunately, there’s been a history of security vulnerabilities in the healthcare and medical space. Things are getting a lot better, but we still have a lot of work to do,” said Bill Horne, General Manager of the Secure Systems product group and Chief Technology Officer at Intertrust. “The good news is that application protection strategies and technologies can help healthcare organizations bring the security of their apps up to speed.” The Intertrust security report on healthcare and medical mobile apps is based on an audit of 100 iOS and Android applications from healthcare organizations worldwide. All 100 apps were analyzed using an array of static application security testing (SAST) and dynamic application security testing (DAST) techniques based on the OWASP (Open Web Application Security Project) mobile app security guidelines.
Key 2020 Findings Include
The assessment revealed major security gaps in mobile medical apps across the board. Highlights from the report include:
91% Have Weak Encryption That Puts Them at Risk for Data Exposure and IP Theft. 71% of tested medical apps have at least one high-level security vulnerability. A vulnerability is classified as high if it can be readily exploited and has the potential for significant damage or loss. The vast majority of medical apps (91%) have mishandled and/or weak encryption that puts them at risk for data exposure and IP (intellectual property) theft.
34% of Android Apps and 28% of iOS Apps Are Vulnerable to Encryption Key Extraction. The majority of mHealth apps contain multiple security issues with data storage. For instance, 60% of tested Android apps stored information in SharedPreferences, leaving unencrypted data readily readable and editable by attackers and malicious apps.
When looking specifically at COVID-tracking apps, 85% leak data.
83% of the high-level threats discovered could have been mitigated using application protection technologies such as code obfuscation, tampering detection, and white-box cryptography.
Currently, Intertrust provides trusted computing products and services to leading global corporations–from mobile, consumer electronics and IoT manufacturers, to service providers and enterprise software platform companies. These products include the world’s leading digital rights management (DRM), software tamper resistance, and technologies to enable private data exchanges for various verticals including energy, entertainment, retail/marketing, automotive, fintech, and IoT.
Medical Apps can save lives. Thanks to an enormous improvement in AI ML and Blockchain / crypto applications for security domains, app owners, the heathcare providers and end-users can keep their data and privacy safe from the dark web and hacking agents.