In a test of 30 popular mobile health apps, a cybersecruity analyst found that all of them had API vulnerabilities. Potential breaches would allow for unauthorized access of patient records.
While most patients expect their health information to be secure when they download an app the reality might often be the opposite.
Several widely-used mobile health apps have basic security flaws that could leave them vulnerable to attacks, according to a report released yesterday by Knight Ink and mobile app API security company Approov.
Alissa Knight, a cybersecurity analyst and partner at Knight Ink, tested 30 popular mobile health apps for potential security vulnerabilities. All 30 were vulnerable to API attacks that could expose patient records.
Though the report didn’t disclose the names of the apps that were tested, it’s worth noting that they weren’t just niche tools created by small teams. The apps tested had an average of 772,619 downloads, and the companies that developed them had about 15,000 employees on average, and annual revenues between $600 million and $8 billion.
For example, they were the types of apps that hospitals would tell patients to download to access their lab results or records after a visit, Knight said in a phone interview.
“They were so poorly written that, using freely downloadable tools, I could change the data that I was requesting to be another patient’s records,” she said.
Application programming interfaces (APIs) serve as intermediaries processing requests for information from an app and retrieving that information from a database. Knight tested them for several vulnerabilities, including whether she could access another user’s data or breach an account.
All of the APIs were vulnerable to Broken Object Level Authorization (BOLA) vulnerabilities, that allowed her to access patient information that her account shouldn’t have been able to access. Knight used the analogy of a coat check to explain it:
One person checks their jacket, and gets a ticket with the number 18, while the person next in line gets a ticket with the number 17. By changing the number 7 to an 8, the “hacker” would be able to take the other person’s coat.
Except in this case, she was able to access patient records, lab results, x-rays, allergies, and personally identifiable information, including social security numbers.
“I was very surprised. I knew I would find BOLA vulnerabilities in mobile health apps and APIs, but I didn’t know it would be this systemic,” Knight said.
Half of the APIs she tested allowed her to access other patients’ pathology results, x-rays and other clinical information. Half of them also allowed her to access records for patients that had been admitted to the hospital as inpatients.
She also found that 77% of the apps had hard-coded API keys, and 7% contained hard-coded usernames and passwords, which would allow someone who could view the app’s code to access those users’ accounts. By accessing one hospital’s login, she was able to access 10s of thousands of patient records.
“This is really low-hanging fruit,” she said. “It requires very little sophistication, very little money. One of the tools I was using was freely available, and the apps are available in the app store for free. All you have to do is register for an account.”
The problem of cybersecurity is not limited to mobile health apps alone.
A separate survey of executives at medtech companies found that 80% of them had suffered at least one cyberattack in the past five years. The survey, conducted by platform security company Irdeto, included medical device manufacturers, digital and mobile health companies and telehealth providers.
Knight said that cybersecurity must be a consideration while code is still being written, instead of trying to secure a project while it is available to the general public. Companies should also bring in outside experts to test them before they go to market.
“We need to do better about securing (health data) and making sure it’s a lot more difficult for adversaries to get access to it,” she said. “For me, being a vulnerability researcher is so important — making sure we’re holding these vendors’ feet to the fire and making sure they’re following best practices, because this is our most sensitive data.”
Originally published by
Elise Reuter | February 10, 2021
MedCity News
Photo credit: Getty Images, weerapatkiatdumrong
