Mobile apps are one of the most significant areas of growth in the healthcare industry. Before 2020, the market grew at more than 20% a year and is on its way to being worth $130 billion by 2022. And that was before the COVID-19 crisis, which has pushed a considerable amount of in-person interactions online. In 2019, just 11% of patients used telehealth; in April 2020, the number jumped to 46%.
Given this unprecedented growth in adoption, has healthcare application security kept pace?
To investigate, we analyzed 100 apps (50 each on iOS and Android) encompassing four major categories:
- Telemedicine/Patient Engagement,
- Health Commerce,
- Medical Device Apps,
- and COVID-tracking.
The in-depth report reveals significant weaknesses in mHealth apps across the board. The report dives in-depth into the most prevalent threats to medical app security and their dangers.
The rise of healthcare apps
Post pandemic, the number of mobile healthcare applications is rising rapidly. In fact, the number of mHealth apps available in the Apple App Store rose by over 18% from Q1 2020 to Q1 2021No surprise, as these apps can solve and simplify several aspects of the healthcare process for all parties involved.
For patients, it allows them to schedule, monitor, and track their health from their home’s safety. They can order prescriptions, check test results, and consult with doctors. But more importantly, together with their health care provider, they remotely monitor and regulate many medical devices, such as insulin pumps, glucose monitors, etc., — all from their phone or tablet.
For healthcare organizations, the reduced service delivery costs make a considerable difference to their bottom line. In the U.S. alone, preventative healthcare apps for diabetes and asthma care, cardiac rehabilitation, and pulmonary rehabilitation are projected to save $7 billion a year in hospital admissions.
However, this rise in popularity brings increased security risk to patient data and provider systems that the apps access. Collectively these apps store, process, and exchange a tremendous amount of sensitive information for millions of patients. And this data is very lucrative for cybercriminals. Stolen healthcare records can fetch up to $1000 per record on the dark web.
Mobile healthcare application security risks
Healthcare organizations get attacked at double the rate of other industries, with an increasing number of compromises tied to mobile devices. Verizon’s Mobile Security Index 2020 stated that 38% of healthcare cybersecurity incidents are mobile-related.
While mobile devices and operating systems have some built-in safeguards, they are generally insufficient to prevent hackers from finding and exploiting vulnerabilities and security flaws in mobile healthcare apps. Once in, cybercriminals can steal patient and payment data, copy proprietary algorithms and other Intellectual Property (IP), locate and extract cryptographic keys, inject malicious code into apps, and even find their way into critical back-end systems.
With patient privacy, safety, regulatory compliance, and organizational digital infrastructure at risk, mobile app security should be a priority for every healthcare organization. Yet, that same Verizon report also states that nearly 2/5 of healthcare organizations admitted that the imperative to get an app out took precedence over healthcare application security. Our analysis of healthcare apps confirmed this finding.
Every app we tested had at least one fundamental security issue, and the vast majority (71%) contained at least one high-level security flaw. A vulnerability is classified as high if it can be readily exploited and has the potential for significant damage or loss.
What our investigation revealed about mobile healthcare application security
We tested apps using an array of static and dynamic analysis techniques aligned with OWASP mobile security risks. We rated vulnerabilities according to the CVSS independent international threat classification system. Here are some key findings:
- Every Android app we analyzed, and 72% of iOS apps contained four or more vulnerabilities.
- In mHealth apps, cryptographic weaknesses or insufficient protection around data storage were also the most prevalent.
- Most medical apps (91%) have weak encryption, which puts them at risk of data exposure and IP (intellectual property) theft.
- 34% of Android apps and 28% of iOS apps are vulnerable to encryption key extraction.
- The majority of mHealth apps contain multiple security issues with data storage. For instance, 60% of tested Android apps stored information in SharedPreferences, leaving unencrypted data readily readable and editable by attackers and malicious apps.
- 83% of the high-level threats discovered could have been mitigated using application protection technologies such as code obfuscation, tampering detection, and white-box cryptography.
When drilling down into specific app categories, health commerce apps were the most significant violators by the number of vulnerabilities (80% had 7+). Telemedicine had the most considerable prevalence of high-risk vulnerabilities (80%). We also found that COVID-tracking apps were relatively less vulnerable than other healthcare apps, with less than 40% high-risk vulnerabilities.
Our report on Global mHealth Application Security
The Zimperium report is an essential document for organizations or vendors part of the healthcare supply chain. Our analysis of threats to medical app security, along with regulatory compliance implications of specific vulnerabilities, allows teams to understand where the most significant risks arise and how to mitigate them.
To read the full report on healthcare application security, its vulnerabilities, and areas of improvement, please download it here.