Healthcare mobile application developers now face heightened scrutiny over security and privacy vulnerabilities. The American Medical Association (AMA) recently encouraged companies that make mHealth apps and connected devices that collect health information to adopt privacy by design principles. And in 2022, all mHealth app makers must comply with the Federal Trade Commission’s Health Breach Notification Rule. Any covered entity that fails to disclose a security breach properly may now be fined up to $43,792 per violation, per day.
The rule requires makers of mhealth apps and devices that collect personal health information to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media.
What Is mHealth?
Short for mobile health and a subset of the electronic health (eHealth) category, mHealth refers to the practice of medicine and public health via mobile devices. mHealth solutions include mobile apps and mobile devices such as wearables that facilitate remote monitoring and data collection, improve clinical outcomes, deliver disease-related education, support behavioral change intervention and contact tracking. (Learn more about three such mHealth apps that NowSecure software and services help to secure in LifeOmic, MyOwnMed and Tidepool case studies.)
Healthcare practitioners have been on the leading edge of mobile computing since the introduction of Palm Pilots in 1997 and tablets in the early 2000s. Today caregivers communicate with patients and conduct follow ups on any number of mobile applications. Connected devices and wearables monitor heart rate and blood pressure from hundreds of miles away, issuing alerts to smartphones.
In essence health data has never been more widely shared across so many platforms. Today patients engage in their own care, clinicians connect to patients outside of the exam room and new platforms create an ecosystem of care.
Today U.S. hospitals have roughly 10 to 15 million medical devices with an average of 10 to 15 connected medical devices per patient bed, according to research from security company Zingbox. Companies such as Medtronic made securing Internet of Things (IoT) healthcare devices a priority after a security researcher hacked an insulin pump in 2018. Since then pacemakers, cardiac defibrillators and devices using Siemens Nucleus Real-time Operating System have all been found vulnerable.
Interoperability in healthcare – the ability to establish connectivity and communication between devices and IT systems and between data and workflows while enabling secure and transparent data exchange – has long been a challenge. Secure and private by design principles must factor in interconnections of data that rarely exist in other industries.
mHealth app makers should pay special attention to properly securing the sensitive data that flows from their apps on smartphones and IoT devices. “While users have been adopting health apps at a rapid rate, the commercial owners of these apps too often fail to invest in adequate privacy and data security, leaving users exposed,” said FTC Chair Lina M. Khan.
While users have been adopting health apps at a rapid rate, the commercial owners of these apps too often fail to invest in adequate privacy and data security, leaving users exposed. – Lina M. Khan, Chair, Federal Trade Commission
Indeed, a NowSecure ongoing benchmark review of healthcare apps available on the Apple® App Store® and Google Play™ store shows that many mHealth apps contain vulnerabilities that leak data to an undisclosed party or even other applications.
Scoring mHealth Privacy and Security
Similar to grades in school, the NowSecure MobileRiskTracker™ scores mobile apps on a scale of 0-100 and assigns a pass or fail letter grade from A (100-90), B (89-80), C (79-70), D (69-60) or F (59 or less). Mobile apps that score an A or B represent high-quality, low-risk apps considered to be the most secure. Testing verifies that these mobile apps protect credentials, encrypt personal information and online transactions, and properly use device permissions.
The mobile apps that scored a C (79-70) have medium risks and should be used with caution and monitored for strange activity or scores changing with updates. Mobile apps in the C range may leak sensitive information or have excessive permissions that are unnecessary, such as a flashlight app that gains permissions to access a contact address book, GPS data or a camera.
Applications that scored a D or F (69 or less) represent a high risk and should not be used until security bugs are fixed by their developers. Failing apps have known software flaws that developers of these mobile apps should be aware of and address immediately, such as leaking unencrypted user ID or password or other personal account info over a network or being open to man-in-the-middle attacks or data harvesting.
Out of 595 popular healthcare-related mobile apps on public marketplaces, the average security and privacy risk score is 69 (D). Many in the healthcare category contain at least one vulnerability that fails to secure network communication or configuration error that could expose personal data to other apps. Mobile pharma apps scored slightly lower with an average score of 66 (D). Software bugs that cause healthcare apps to fail these assessments can only be discovered through secure development practices and thorough testing.
NowSecure promotes secure by design approaches to mobile app development and welcomes the new call for accountability. As practitioners increasingly tap mHealth apps and connected devices to improve critical care, healthcare organizations must also ensure the security and privacy of data. NowSecure recommends integrating automated mobile application security into the dev pipeline, conducting outside penetration testing for high-risk mobile apps and continuously testing mobile apps in production to guard against third-party supply-chain vulnerabilities. Book a NowSecure Platform demo to see the automated mobile appsec testing tool in action.