Mobile apps are increasingly being used by the healthcare industry to provide customers with access to data and services. Your smartphone might even be monitoring the state of your health and sending that information to remote servers for analysis by your healthcare provider.
As Stephen McCarney of Arxan Technologies explains in this interview, this is seen as a way of empowering patients and is at the forefront of a drive towards ‘patient-centered’ care with the hope that, eventually, this will help improve health outcomes.
But health data is extremely sensitive, and moving and storing such data presents a ‘target-rich environment’ for hackers. Cyber-criminals like soft targets, and McCarney characterises the healthcare industry today as having “a huge soft underbelly”.
The simple fact is that while the healthcare industry likes to talk about enablement, empowerment and access, there isn’t the same kind of effort and emphasis when it comes to security.
There are multiple potential points of failure, but among the most concerning are the apps themselves and the back-end APIs to which they connect. An analysis by Arxan found a worrying level of vulnerabilities – nearly all the apps the firm tested had two of the OWASP Mobile Top 10 vulnerabilities. One of the most concerning was lack of binary protection, allowing the possibility of reverse engineering in order to create fake, trojanised apps.
The problem, says McCarney, is an overall lack of appreciation of the level of risk associated with the mobile applications that are being pushed out. And while exploitation of the vulnerabilities isn’t yet at a particularly serious level, this may just mean that there is a small window of opportunity to get the problem sorted before the bad guys catch on.
And there are sound business reasons for getting this sorted: according to Arxan’s research, customers are very likely to move to a different provider if they find an app is insecure. This opens the possibility to use security as a market differentiator.
However, this will require a continued effort in educating developers and the organisations they work for to develop best practice approaches to security.