What are the top cybersecurity threats to mobile health and medical apps in 2022? And how do you protect patient data and protected health information (PHI)?

Healthcare records are the most valuable data on the dark web. A recent study shows that popular mobile health and medical apps are potentially compromising millions of patient records, exposing social security numbers, addresses, birthdates, allergies, medications and other sensitive data. With more than 318,000 mobile health apps available on major app stores, the risk is real and increasingly complex. 

Most health and medical apps lack security, and are vulnerable to data leakages. Most attackers also know how to exploit these vulnerabilities. But what are the top threats? And how can you protect your apps while maintaining an optimal user experience?

Top threats to mobile health and medical apps

Data tracking and theft

According to research published in the British Medical Journal, nearly all popular mobile health apps harvest and track data. The researchers carried out an in-depth analysis of over 20,000 mobile health apps on the Google Play Store, and discovered that the vast majority (88%) were using tracking identifiers and cookies to track activities. The research also found that one-third could collect a user’s email address, and about a quarter could identify the mobile phone tower to which a user’s device was connected, potentially providing information on the user’s location.

Unauthorised access

The main threats related to privacy and confidentiality are unauthorised access to protected health information (PHI). According to a report from Knight Ink and Approov, the 30 most popular mobile health apps are highly vulnerable to API cyberattacks, which could enable unauthorised access to full patient records, such as protected health information and personally identifiable information. 

Reverse engineering

One quarter of the apps (27%) in Knight Ink and Approov’s report were not secured against reverse engineering. Attackers use techniques such as static and dynamic code analysis to learn how your app functions, and with this knowledge they can exploit your app’s weaknesses, discover trade secrets and extract credentials. In general, all mobile code is susceptible to reverse engineering, but code written in languages that allow for dynamic introspection at runtime (Java, .NET, Objective C, Swift) are particularly at risk.

Fake apps

Fake apps trick users into divulging their username, password, and other valuable personal information. Once the unassuming user has shared their information, attackers can use this to gain unauthorised access. By tampering with an original app, and redistributing the app via non-official app stores, cybercriminals can build a fake app that looks like the real app of a health organisation they want to target.

Rooting and jailbreaking

Despite the two different names, rooting and jailbreaking are essentially the same. The first term is used for Android devices, and the second for iPhones. By exploiting a vulnerability in either the hardware or software of a mobile device, attackers can gain access to rights within a system, all the way up to user privileges. On a jailbroken or rooted device, attackers may unlock the operating system and install unapproved apps, allowing them to launch effective attacks.

Backend server attacks

Data at rest is extremely vulnerable. Most data protection breaches you read about relate to data that has been stolen from secure storage servers. Because all your data is stored there, a breach has the potential to affect a large number of patients (and other users). Data at rest encryption encrypts patient information in the app, but does not necessarily encrypt network access data such as server addresses, usernames and passwords. Such data can be used to launch an attack on the backend server.

Ransomware

Ransomware is perhaps the most common attack vector for cybercriminals targeting health and medical apps. Between July and September 2021, researchers found 68 healthcare ransomware attacks globally, and medical clinics are particularly at risk. Attackers may, for example, tamper with health and medical apps to gain unauthorised access to backend servers, and install malware as part of a ransomware attack.

Secure your health and medical apps with Promon SHIELD™

Protect patient data and protected health information (PHI), and meet regulatory requirements, with Promon SHIELD™. Our state-of-the-art security technology offers multi-layered app protection and enables you to:

• Prevent reverse engineering and tampering
• Protect patient data and maintain trust
• Safeguard protected health information (PHI)
• Meet regulatory requirements

Prevent reverse engineering and tampering

Our app shielding solution Promon SHIELD™ modifies an app’s byte or binary code, and makes it more resistant to tampering, reverse engineering and malware attacks. App shielding should be your first line of defence when securing your health and medical apps. Unlike security solutions that monitor and test vulnerabilities, app shielding can detect and prevent real-time attacks. When your app is shielded, it becomes self-protecting, in any environment it is released into.

Protect patient data and maintain trust

With Promon SHIELD™, sensitive patient data is protected against static attacks on user devices, or within the app itself. The encryption keys are never stored on the device, or added in the static code of the app, but dynamically generated on the device protected by our whitebox-backed solution. Utilising code protection combined with multi-layered runtime protection features will make your health and medical apps less prone to data theft and other cyberattacks.

Safeguard protected health information (PHI)

Storing sensitive app data within the app, without proper protection, can have huge consequences. Health and medical app providers should therefore go beyond basic security measures. With Secure Local Storage (SLS) by Promon SHIELD™, you are able to protect dynamic data within the app. The security feature provides the ability to store app secrets locally on the end-user device in a secure and encrypted manner, even if the device is rooted or jailbroken. With Secure Application ROM (SAROM), you also keep your static app secrets safe.

Meet regulatory requirements

Promon SHIELD™ adds strong data protection controls to help you stay compliant with regulations such as PSD2, GDPR, CCPA, PCI developer guidelines, and more.

Importantly, compliance with the Health Insurance Portability and Accountability Act (HIPAA) does not protect your health and medical apps against all cyber threats. While mobile security is key to HIPAA compliance, having a HIPAA-compliant app does not mean that you have a secure app. The massive acceleration in the use of telehealth means that a more comprehensive solution is required. Promon SHIELD™ offers the most comprehensive app shielding solution on the market. In addition to applying robust obfuscation to your Android, iOS, and Javascript apps, Promon SHIELD™ will monitor your app’s runtime behaviour, and detect if your app executes in an insecure environment.

Are you interested in learning more about app shielding, and how it can bring value to your organisation?