Security key to mHealth success

Thursday 23 July 2020 By David Stewart

Topics: Mobile App Authentication, Repackaged Apps, MitM Attack, Certificate Pinning, API Security, Healthcare

 

security
 
In 2016, mHealth apps were the third fastest-growing category of apps behind games and utilities. In 2017, the number of healthcare applications available for smartphone users doubled from that of 2015 to 325,000, from 84,000 different publishers, with an estimated 3.7 billion downloads that year. By 2018, nearly a third of all patients were using their mobile phone for health-related searches and for booking appointments, an overwhelming 99% of consumers believed that mHealth apps improved their quality of life and 70% of millennials were interested in a mobile app that would help them actively manage their well-being. By 2027, mHealth app usage among patients is projected to grow at a 10-year CAGR of 40%.

The global market for mHealth solutions is growing at a slightly lower rate of around 33% and is projected to reach $213 billion in 2025, up from $50 billion in 2020. The functionality of mHealth offerings is also steadily expanding beyond consumer-facing medical and well-being apps to solutions that target specific user groups, use cases, and medical conditions. Today, there are medical apps targeted at doctors, caregivers, etc. and at specific functions across the healthcare value chain, including decision support, remote tracking & monitoring, appointments & clinical assistance, records access & management, and professional networking & communications.

mHealth in the time of coronavirus

The current coronavirus pandemic has tragically but inevitably brought the value of zero contact telehealth and mHealth solutions to the fore. At a time when in-person care has to be limited to emergencies, more and more healthcare institutions and providers are turning to digital health platforms to provide risk-free access to healthcare.

Business Impact By Company Type Research2Guidance
Image Source: Research2Guidance

 

By some accounts, the lessons learned in applying telehealth and mHealth to a pandemic could accelerate the adoption of digital health solutions in the mid to long-term. In fact, digital health companies are the most optimistic that the long-term business impact of the current crisis would not only encourage adoption but also result in more favorable regulatory and reimbursement environments.

The state of mobile healthcare security

The ongoing crisis has also regrettably but quite incontrovertibly exposed one of the key challenges of mobile health apps - security. In recent months there has been a surge in the deployment of apps that deliver several Covid-19 related services critical to managing the pandemic. Cyber-criminals, however, have been exploiting vulnerabilities in these apps to deliver spyware and ransomware and even distribute fake apps that steal money and data from users. Or as one report summed it up, the use of smartphone apps to track the epidemic has created a potential jackpot for hackers worldwide.

Even discounting for the current topical surge, healthcare security breaches have risen exponentially in recent years. In 2019, and continuing into 2020, healthcare has been a sector that has been most targeted by hackers. And it’s not hard to see why. The black market value of a single health record could be as much as $250, which is nearly 50 times the next highest value of $5.40 for a payment card. In addition to all this, the healthcare industry also has one of the highest average cost per data breach, which, at $6.5 million, is more than 60% higher than any other industry.

In this scenario, the potential of widespread adoption of mobile healthcare apps is as much a great opportunity as it is a significant risk. Most mHealth apps have access to extremely sensitive information, including personal identifiers, medical records, and financial details, which makes them prime targets for hackers. Securing access to this data, without compromising app functionality, usability, and utility in enhancing healthcare outcomes has to be the overarching design principle for every medical app development program. That, however, does not seem to be the case, according to the findings of Verizon’s 2020 Mobile Security Index study.

Verizon’s latest deep dive into the healthcare industry’s approach to mobile security turned up some truly startling findings. For starters, most respondents massively underestimated the number of apps being used in their organization. Most of them used public Wi-Fi even if it was against IT policy. Only 12% were following even basic precautions such as need-to-know data restrictions, changing default passwords, encrypting sensitive information, and regular security testing. And 37% of healthcare organizations admitted to sacrificing mobile security in the interest of expediency, convenience, and “getting the job done”.

Negotiating the transformation gap

A significant majority of physicians, residents, and students believe that personalized medicine and telemedicine can transform healthcare in the near-term, according to a 2020 study from Stanford Medicine. However, the study also identified a Transformation Gap in the healthcare industry wherein the higher the potential patient benefits of any innovation, the less prepared the medical community seemed to be.

In terms of security, mHealth apps currently seem to be stranded in this transformation gap between perceived potential and the ability to securely and productively harness it. Going forward, building the competence to navigate this gap will depend as much on education and training as it will on sophisticated mobile security principles, processes, and technologies.

And the latter is, probably and arguably, the more immediately achievable milestone.

Healthcare Organizations Biggest Mobile Security Concerns Verizon
 

Take, for instance, the top three mobile security concerns for healthcare organizations today — rogue apps, rogue Wi-Fi, and malware.

Rogue app fraud witnessed a whopping 191% increase in 2019. However, there are sophisticated software attestation solutions that can distinguish between genuine mHealth apps and their tampered clones based on originally published software images. These solutions can also mitigate rogue Wi-Fi/MitM attacks by using techniques like certificate pinning.

The point is that there are mobile security solutions that can thwart almost every prevalent mobile attack vector. At the same time, healthcare organizations also need to institute robust security policies and educate users on mobile security hygiene in order to neutralize the risks and maximize the security of mHealth apps.

Summing up

It is positively impractical to ignore the transformative potential that mHealth represents for both patients and healthcare professionals. It offers an extensive range of benefits that includes enhanced healthcare accuracy & efficiency, lower healthcare costs, and improved decision-making, to name a few. However, accessing these benefits comes with a quantum of risk that has to be addressed upfront. In fact, the healthcare sector faces the same risks almost every other industry faces as it embraces the transitions towards a mobile-first norm. In the case of healthcare, the consequences of these risks just happen to be more catastrophic and costly. Modern security technologies can definitely help simplify and accelerate healthcare’s inevitable evolution toward telemedicine. However, there also has to be a concurrent and coordinated effort to educate the industry about the long-term repercussions of just focusing on “getting the job done.”

Get An Approov Demo!