“All That We Let In”: health apps’ APIs are vulnerable and easy to hack, exposing and altering PHI and PII

February 27, 2021 | by

Mobile security company Approov has issued a scary report on the hackability of popular health apps. They tested 30 apps (not named in the report) of the 300,000-odd health apps in the market, and found that the application programming interfaces (APIs) used in 100 percent of these apps had hardcoded vulnerabilities that could allow hackers to access protected health information (PHI), personally identifiable information (PII), identity, and billing information. According to the report (registration required), these apps used by patient care organizations for remote account management and telemedicine appointments may expose 23 million individuals. Of the 30 apps tested:

  • 77 percent contained hardcoded API keys, some of which do not expire
  • Seven percent had hardcoded usernames and passwords in plain text
  • 50 percent of the doors that these API vulnerabilities opened led to PHI and billing information
  • 100 percent of the API endpoints tested were vulnerable to Broken Object Level Authorization (BOLA) attacks. These involve a relatively simple process of falsifying user IDs and swapping out numbers. For some apps, the hack could gain clinician-level access and alter medical histories and records (including issuing prescriptions for medication).
  • 100 percent of the apps were vulnerable to man-in-the-middle attacks due to failure to implement certificate pinning, which forces the app to validate the server’s certificate against a known good copy

Alyssa Knight, the ‘recovering hacker’ who authored the report, also hacked into one hospital’s EHR and changed its values by one digit. She was then able to access health records and registration information. She used a hacking tool that looks like it is generating data from a mobile health app.

The use of mobile apps for telehealth and portals has become far more widespread as a result of the pandemic, yet security has lagged–even though the level of sophistication in the apps, and the amount of information they integrate, has accelerated to become the norm. It’s a wakeup call to developers, health systems, and digital health companies that off the shelf and old APIs don’t meet security demands. Unfortunately, Gartner projects that APIs will become the vector for most data breaches by 2022. CPO Magazine, FierceHealthcare

Two-thirds of US insured not interested in payer health apps: survey

June 27, 2015 | by

A survey of over 1,200 insured (individual and employer plans) sponsored by research firm HealthMine and conducted by Survey Sampling International shows that only 30 percent of this group would participate in a payer-provided mobile app, despite 89 percent using a smartphone and/or tablet. Even worse, only 18 percent liked to learn health, wellness, and lifestyle information from a mobile app. It demonstrates that current apps are not compelling or engaging–and the huge paradox of payers make them less, not more, attractive. Perhaps this Editor goes out on a limb, but US insurers have a trust problem on multiple levels (as claim deniers, as impossible to deal with); apps they provide are perceived as capturing information an individual doesn’t really want them to see. Overall, users are not using their smartphones for health reference at all–well below 20 percent. The leading use is for tracking fitness (21 percent) and calorie counting (16 percent). Is it that real research on health is the province of the desktop PC, where it’s easier to find and read? They also aren’t using mobile to find their doctors, despite all the hype from ZocDoc and Vitals: 8 percent had used a doctor finder app in the past six months. Mobihealthnews, HealthITOutcomes

FDA final guidance on mHealth eases regulation of MDDS, mHealth (updated)

February 10, 2015 | by | 1 Comment

As anticipated, FDA issued final non-binding recommendations for guidance yesterday (Monday) that ease regulatory oversight of medical device data systems (MDDS), including image storage and communication devices, and mHealth devices.

In the MDDS guidance document, “(FDA) does not intend to enforce compliance with the regulatory controls that apply to MDDS, medical image storage devices, and medical image communications devices, due to the low risk they pose to patients and the importance they play in advancing digital health.” It defined MDDS as “a device that is intended to provide one or more of the following uses, without controlling or altering the functions or parameters of any connected medical devices: (i) The electronic transfer of medical device data; (ii) The electronic storage of medical device data; (iii) The electronic conversion of medical device data from one format to another format in accordance with a preset specification; or (iv) The electronic display of medical device data.” along with their hardware and software. It specifically excludes devices that are used in active patient monitoring.

Mobile health apps were covered in a separate and highly detailed guidance document, “Mobile Medical Applications”.

  • FDA will regulate only “those mobile apps that are medical devices and whose functionality could pose a risk to a patient’s safety if the mobile app were to not function as intended.” (more…)