IS YOUR HEALTH DATA IN DANGER?
A detailed inspection and examination of the 30 most widely used mobile health management applications (mHealth) were performed. Knight Ink a leading merchandising company (in cybersecurity) has performed this analysis. Approov ( API Security Company) sponsored the program. The report released by Knight Ink suspects these applications to be highly vulnerable. According to the report, these apps reveal the personal information, health record, medical history, and other records of millions of patients registered with them.
Knight Ink’s report in detail:
The investigation team reverse-engineered all 30 applications. They performed penetration testing on the app APIs and analyzed the static code. The researchers say that all the tested mobile app APIs were found vulnerable to BOLA (Broken Object Level Authorization) attack. Some of them allowed unofficial access to patient’s admissions records while others to clinical results including X-rays and pathology reports.
The report kept the names of tested application and their developers under wraps. These apps are from notable international IT companies having revenue of more than $600 million. Also, around 15,000 employees work in each of these companies.
77% of the mobile app API had hard-coded keys. 7% API had hard-coded passwords and usernames. Some apps also had third-person access which attacked PII (Personally Identifiable Information) and PHI (Protected Healthcare Information) of the user. Most of the keys were coded in plain texts and not encrypted.
The biggest concern:
This pandemic situation has witnessed high downloads in mobile health applications. These investigated apps are highly popular and have an average of 772,619 downloads. All the apps allow doctors to schedules patient meetings and review patient charts. In addition to this, some applications give facilities to access patient’s clinical history, photos, health records, and other data.
How to be cautious?
You can be alert and follow some guidelines to save yourself from a data breach.
Some things that you should keep in mind:
- Be aware while giving the permissions to the app and check your device’s default privacy settings.
- Go for using authenticated applications and download them from trusted sites.
- Don’t share personal and confidential information through messages.
- Encrypt the app data. This is where most apps fall vulnerable. They save the encryption keys in plain text that is easily accessible. If the app doesn’t provide proper encryption, use external tools that can handle confidential information properly.
- Prevent data caching. This tool makes things easier for the user. Vulnerable data copies on the clipboard as plaintext or User’s Dictionary.
- Look for certification signs. For example, the TRUSTe® seal. Some vendors use it to ensure they follow cybersecurity guidelines.