One truth that is consistent across every sector—be it technology or education—is that software is vulnerable, which means that any device running software applications is also at risk. While virtually any application-running device could be compromised by an attacker, vulnerabilities in medical management apps pose a unique and more dangerous set of problems.
Now add to vulnerabilities the issue of data privacy, especially that of sensitive medical information, and you have a perfect storm.
In a recent report, Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis, published by BMJ, researchers analyzed the top-rated Android apps for medicine management and found that 19 out of the 24 tested apps shared user data outside of the app.
Because medical records are such a lucrative data set, attackers often target the healthcare industry, seeking out and eventually finding the weakest link in the supply chain. That's why it’s important for stakeholders to consider the broader implications of weaknesses in health and medical apps.
According to the US Food & Drug Administration (FDA), medical apps that pose risks to patient health and safety have been regulated since 1997. “While many mobile apps carry minimal risk, those that can pose a greater risk to patients will require FDA review.”
As medical management apps offer the convenience of care at home, some devices have become directly intertwined with patient care. While some apps may only offer benign image-processing services, others may include data on test results, appointments, drug refills, and more. This is why the FDA categorizes medical apps by risk.
What could go wrong?Security concerns come not necessarily from the app itself, but from third parties that are creating the apps that interface with that data. “Developers relied on the services of infrastructure related third parties to securely store or process user data, thus the risks to privacy are lower. However, sharing with infrastructure related third parties represents additional attack surfaces in terms of cybersecurity,” the BMJ report said.
“Furthermore, the presence of trackers for advertising and analytics, uses additional data and processing time and could increase the app’s vulnerability to security breaches.”
Data that sits on any app or database can be compromised, but medical management apps are home to a trove of private information and different types of proprietary data, as well as whatever the healthcare provider has interfacing with that app, according to penetration tester, Mike Jones.
“From what I’ve experienced with medical management apps, the risks are through the roof because the apps are not under the same regulations as the Health Insurance Portability and Accountability Act (HIPAA). When you look at the amount of data that any kind of home health or medical service offers, if it is managed through an app, one of the biggest concerns is data leakage.”
Sharing and selling data might be a new reality in today’s digital, research-driven world, but it’s important to first strip the data of its context so that patient privacy is not interfered with. Yet, sharing and securing data don’t have to be mutually exclusive concepts, said Warren Poschman, senior solutions architect at comforte AG.
“Want to know what meds I’m taking or what procedures I’ve had so it can be cross referenced and insights gained? Absolutely! Want to know that it was me specifically that takes that medication or has had those procedures? Absolutely not! Regulatory bodies need to start ensuring that companies anonymize the data so that it can be safely used no matter where it travels to.”
Risk extends beyond the medical dataPerhaps even more concerning than an attacker being able to access the data collected or stored on these apps is the reality that if a malicious actor tampers with them, patients can get the wrong medications or medications could be diverted to different places, Jones said.
In Hacking the Hospital, a two-year study that evaluated cybersecurity risks in hospitals, Independent Security Evaluators (ISE) found two different web applications through which an adversary could remotely “deploy attacks that target and compromise patient health. We demonstrated that a variety of deadly remote attacks were possible within these facilities,” the report said. That was in 2016.
Fast forward three years, and ISE, executive partner Ted Harrington remains concerned about the risks to patient safety with medical management apps.
“What is critically important is that these solutions ensure that the appropriate amount of medicine goes to the right patient.”
When it comes to patient safety, the healthcare industry has established practices of redundancies, but these practices have largely been influenced by regulations. Highly-regulated industries are motivated to make changes in order to be compliant, but compliance isn’t synonymous with security, Harrington said.
Though many medical apps are regulated by the FDA, medical management apps don’t fall under HIPAA regulations, and those established practices that ensure patient safety among the providers and staff aren’t usually extended to software.
Still, there are a variety of direct and indirect implications for those that are responsible for delivering care if medical apps are compromised in any way.
“The delivery of care relies heavily on technology, which needs to be accurate,” Harrington said. “If there were instances that demonstrated these solutions are inaccurate, that could undermine faith in technology, and that can negatively impact things like the speed at which professionals can deliver care. Speed is second only to accuracy in the delivery of care.”
Where do apps go from here?It’s a question to which there is no single, clear answer. The complexities and speed of innovation have created formidable obstacles when it comes to the security of medical and health apps.
As technology advances, more developers are relying on artificial intelligence and machine learning in software, “deriving new and important insights from the vast amount of data generated during the delivery of health care every day. Medical device manufacturers are using these technologies to innovate their products to better assist health care providers and improve patient care,” according to the FDA.
These changes in technology also drive the evolution of regulations, which Jones said have to ensure security throughout the development lifecycle. The FDA is, in fact, “considering a total product lifecycle-based regulatory framework for these technologies that would allow for modifications to be made from real-world learning and adaptation, while still ensuring that the safety and effectiveness of the software as a medical device is maintained.”
Greater than good intentionsWithout falling victim to fear, uncertainty, and doubt, there is reality to the belief that medical management apps can be the difference between life and death. To shift the focus from compliance to security, Harrington said, “We need to understand technology the way an attacker would understand it. How would a hacker exploit this technology? So, you start with building out a threat model.”
Not all hackers are financially motivated, which is why it’s also important to perform a security assessment that goes beyond running a scanner. “That’s ineffective,” said Harrington. “You need to go deeper, as deep as an attacker would.”
Increasingly, more security-minded professionals are advocating for developers to take more personal responsibility. I am the Cavalry, for example, recently published The Case for a Hippocratic Oath for Connected Medical Devices: Viewpoint in the Journal of Medical Internet Research (JMIR), in which the authors ask whether manufacturers and adopters of these connected technologies should be governed by the symbolic spirit of the Hippocratic Oath.
“The idea of holding developers responsible is in the right spirit,” Harrington said. After all, if a bridge collapses and an investigation finds that it was structurally deficient, contractors, inspectors, maintenance, and even the engineers who designed the bridge can be charged with negligence. Should not the same be true of those that build the technology that bridges the gap between medical professionals and patients?