Why should Healthcare organizations worry about mobile apps?
We use them for innumerable daily tasks, they go everywhere with us, they are exposed to endless contagion, and they are one of our primary interfaces with other people and systems. While hospitals can create and enforce strict hand-washing protocols, they can’t ensure 100% compliance, and they have little control over the hands of non-employees.
The same is true of mobile devices — even if your mobile health apps are sanitized and secure, the cyber hygiene of your end users’ mobile devices is out of your control. The potential consequences of unwashed hands and unmanaged mobile devices are dire — no one wants MRSA infections or malware running rampant in healthcare environments.
As the digital transformation of the healthcare sector continues apace, enterprise mobile apps are becoming more integral to communications (among staff, with patients, and with IoT medical devices), patient self-service (appointments, prescription renewals, EHR access), and innovative services in home healthcare and telemedicine. All of these game-changing uses of mobile tech involve the exchange of highly sensitive and heavily regulated data.
As operating margin pressures in the healthcare market intensify, healthcare organizations are hard-pressed to hire enough cyber security experts to match their growing technology footprint. The specter of public breach notifications, penalties, reputational damage, and operational outages weighs heavily on healthcare executives.
In the healthcare setting, the risks include: financial and insurance fraud, public trust, and the confidentiality, integrity and availability of sensitive data. But the dangers don’t stop there. The physical safety of patients is on the line. Whether the scenario is one patient’s records or devices being tampered with, or a system-wide outage at a busy trauma center that causes treatment delays, the risk of death or injury is all too real — and growing.
The problem is, hackers know how high the stakes are. In the last few years, healthcare organizations have been heavily targeted by organized cybercriminals seeking to exfiltrate and sell medical records chock full of identifying information; by ransomware attackers looking to make some quick bitcoin; and by state-sponsored hackers looking to test, penetrate, and disrupt critical infrastructure (in this case, major hospitals).
Can the patient see their health record within the mobile app? If so, hackers may be able to access insurance information. This may lead to false claims being filed, which impacts both patient and insurance provider. Exposure of confidential information about cognitive limitations, stigmatized diseases, and other sensitive matters can lead to senior abuse, employment and housing discrimination, and more.
Can the patient pay their bill through the mobile app? If so, important financial information about the patient could be exposed to hackers, including banking and insurance information that provides an entry point into the host systems of the insurance carrier and financial institution.
What’s so tricky about securing mobile apps?
Mobile device management solutions (MDM, EMM) are device-centric and so cannot provide any control over the devices belonging to end-users of a public facing app. Those unmanaged endpoints run the app’s executable code, and that code can be accessed and altered by a compromised operating system. The executable code for web applications and services resides primarily on enterprise systems, and can be protected and monitored accordingly. Mobile app code resides primarily on the mobile device itself.
Without a solution like HackGuard, the executable code of mobile apps cannot be monitored, protected, or remediated. There’s a rule of thumb for public-facing apps that might surprise healthcare organizations new to the app publishing business. Let’s call it the 200 Rule: The typical organization with 1000 employees can assume they will have around 200,000 public app users. That’s 200,000-plus smartphones, tablets, and notebooks over which you have no control. Until you have detailed information about the health of the environments your app is operating in, your attack surface is expansive and your security team is blind.
No healthcare enterprise wants to provide hackers with 200,000 possible tunnels into their networks, systems, and equipment. The damage from attacks on mobile apps is not confined to end-users and the costs associated with helping them recover from fraud or service outages. Hackers can also compromise the app’s communications with the host systems in order to exfiltrate records and privileged credentials, which can in turn be leveraged in further attacks, extortion schemes, and corporate espionage.
Of course clean, secure-by-design app development is important. The good news is, that part is under our control and developers keep up with security requirements. Even when the developer has done everything right, the app can still be vulnerable. There are approximately 3000 open vulnerabilities in Android (https://www.cvedetails.com/product/19997/Google-Android.html) and iOS (https://www.cvedetails.com/product/15556/Apple-Iphone-Os.html). As we know, any security that depends on users’ cyber hygiene and patching practices is bound to fail. Moreover, it’s all too easy for hackers to reverse engineer apps. The same goes for malware development — hackers can even buy exploit kits on the Internet.
Advanced malware exploits are designed to deliver a payload that doesn’t detonate immediately. In order to inflict maximum damage (and reap the most bounty possible) upon activation, malware uses “dwell time” (the period from initial intrusion to detonation) to establish command and control, test system defenses, and spread to further devices. Ponemon Institute’s 2017 Cost of Data Breach Study pegs the average attack dwell time at 257 days (191 to identify, 66 to contain).
Far too often, due to lack of visibility, the healthcare organization doesn’t know the detonation has occurred and that data and credentials are being stolen. Traditional cyber security methods are unable to detect the malware because the activity is coming from a known (but compromised) mobile device, not from an unknown source that can be traced back to a suspicious IP address or pattern of hacker activity.
After a vulnerability or attack has been detected, app developers often waste time trying to find a flaw in the app, or developing and releasing new versions. There are multiple issues with this remedial approach. To start with, new versions of the app would have to be released as mandatory upgrades because end-users are notorious for ignoring update recommendations. Then there is the fact that hackers are watching for updates and can likewise quickly update their malware based on what they learned from the first stage of the attack, leading to even more damaging exploits.
Healthcare organizations have no access to an end user’s compromised device; they can’t do forensics in order to the get to the root cause, and so the vicious cycle continues. AppVision’s HackGuard turns a repeating APT cycle that continues over several months into a simple, quick solution process, at the end of which losses have been avoided, and the event is ended with finality.
How can HackGuard help keep healthcare apps healthy?
No matter where they wander in the world, your mobile apps can be made hack-proof with HackGuard technology and professional services. With an app-centric focus, this SaaS solution is purpose-built, affordable and easily implemented by all types of healthcare organizations that provide mobile apps to their staff, customers, and patients.
HackGuard is an Endpoint Detection and Response (EDR) solution designed specifically to protect mobile app executable code and provide deep discovery of an app’s operating environment. It is threat-vector agnostic, meaning it can protect against all types of attacks, including Zero Days.
Think of HackGuard as a guardian angel, lightly sitting on the shoulder of your mobile app, keeping it safe wherever it may wander. With HackGuard, you can deploy comprehensive protection in just minutes, and begin detecting attacks immediately.
If we could see germs, maybe we wouldn’t get sick so often. HackGuard sends all collected device and app data to a secure cloud portal, through which granular reporting tools are provided. Each AppVision customer is provisioned with its own separate, securely encrypted database. A unified dashboard provides trend graphs, app activity gauges, install/launch charts, rolling reports, and detailed demographics for your installed app base. Datagrids are sortable and searchable. Alerts can be controlled through trigger and threshold settings.
With this kind of visibility, healthcare organizations can protect their app, their systems, and their users by conducting rapid attack vector analysis. And most powerfully, with the granular attack data provided by HackGuard, it is easy to track the device characteristics that are being targeted and identify the users most at risk of compromise.
Other mobile app security products inject foreign code or wrap protective code around apps. App developers are wary of these approaches: they require significant effort to implement, can interfere with app functionality, and can even break the app. The act of injecting anyone else’s code, even from a security solutions provider, effectively increases an app’s attack surface. While developers may have complete control over their own code, they cannot exert the same control over injected code, which makes a prime target for hackers seeking to do widespread damage.
AppVision’s HackGuard employs a different, innovative approach — requiring no injection, no SDKs, no need to touch multiple components of the app. In fact, HackGuard can be enabled for an app in under a minute on both Android and iOS.
HackGuard is mobile app security that works all of the time, on every device, and against all kinds of attacks. Don’t you wish your hand sanitizer could do that?