A recent report revealed API-focused mobile attacks are exploiting vulnerabilities and shortcomings to expose patients’ personally identifiable information (PII) and protected health information (PHI). Due to the pandemic, mobile health app usage has gone up, but so has the potential to expose millions of patients’ data. An investigation conducted by cybersecurity marketing firm Knight Ink was able to uncover this by reverse-engineering 30 mobile health apps using a source security framework.
The developers of some of the apps participated under the condition of anonymity, so the names of these applications and developers remain undisclosed. However, the report noted that the apps have been downloaded a total of 772,619 times. By reverse-engineering these mobile health apps, they were able to analyze the static code and then penetration-test their APIs, where they were able to discover an abundance of vulnerabilities across the board. According to the report, 77% contained hard-coded API keys, and 7% of those API keys came from third-party payment processors that warn customers to not hard-code keys in plain text. None of the applications implemented certificate pinning, which allowed the researchers to freely conduct attacks against the apps’ communications.
Among other concerns, every API endpoint tested within the investigation was vulnerable to a broken object level authorization attack (BOLA), which allows access to personally identifiable information (PII) and protected healthcare information (PHI). Additionally, half of the tested APIs allowed unauthorized access to admissions records, or clinical results such as pathology results or X-rays.
The presence of these vulnerabilities suggests that security measures required for FHIR/SMART compliance “merely represent a subset of the steps needed to secure mobile apps and the APIs which enable apps to retrieve data and interoperate with data resources and other applications,” as stated in the report. As more monetizable data is being collected by these mobile health apps, the frequency of cyberattacks on healthcare organizations rises.
Cybersecurity has been a growing concern for healthcare organizations. In 2020, ransomware attacks became more frequent and a growing threat due to the rapid digitization of health information and remote access brought upon by COVID-19. More specifically, electronic health record (EHR) access and other similar virtual-care services are currently under intense scrutiny.
This investigation’s findings demonstrate the urgent necessity of increasing the security of data within these applications. The report recommends that all mobile health application developers and organizations:
– Address both app security and API security: synthetic traffic to the API is an issue stemming from bots and automated tools, not from apps and legitimate data requests.
– Secure the development process and harden apps but ensure that run-time protection is in place.