This post is from the Arxan blog and has not been updated since the original publish date.
2016 State of Application Security: Top Health Care Apps in Critical Condition
Arxan recently released its report on the “State of Application Security,” which examines the current application security landscape and provides key recommendations to improve your organization’s level of protection. This research analyzed 126 of the most popular mobile health and finance apps from the U.S., U.K., Germany and Japan. It also surveyed consumers and application developers about their approach to and perspectives on app security.
Major Findings of the Report
Health Care Industry Is a Popular Target
Health care organizations are among the top targets of cybercriminals in search of valuable patient data and intellectual property. This is not that surprising, given that a complete medical record can fetch close to $500 in the underground market, as reported by NPR. Equally unsurprising is that a majority of health care organizations — 81 percent — have been breached in the past two years. Given that the vast majority of cyberattacks occur at the application layer (a recent Forbes study estimated that 84 percent of all attacks were focused here), one would think that robust application security would be a fundamental measure being taken by health care providers. This effort is particularly pertinent given the health care community’s rapid advancement toward mobile- and IoT-based applications. However, the stark reality is that mobile application security is still lagging.
Consumers Generally Think Their Apps Are Secure
Users of mobile health apps and IT decision-makers with insight into the security of mobile health apps feel their mobile apps are adequately secure. In fact, most believe app developers are doing everything they can to protect their health-related apps.
Perception Is Not Reality
Most health care apps contain significant vulnerabilities. Vulnerability assessments were conducted on 71 mobile health apps in the U.S., U.K., Germany and Japan at the end of 2015. The vulnerability assessments were based on the Open Web Application Security Project (OWASP) top 10 mobile risks. OWASP identifies the most critical application security risks facing organizations. Included among the health apps tested were a sample of health apps approved by the U.S. Food and Drug Administration (FDA) and apps formerly approved by the U.K. National Health Service (NHS). Interestingly, 84 percent of the FDA-approved apps that were tested didn’t adequately address at least two of the OWASP mobile top 10 risks, and 95 percent of those apps lacked binary protection. Similarly, 80 percent of the apps formerly approved by the NHS didn’t address at least two OWASP mobile top 10 vulnerabilities, and 100 percent — yes, all — lacked binary code protection. These vulnerabilities can make applications susceptible to reverse engineering and tampering in addition to increasing the risk of privacy violations and identity theft.
Exposure Is No Surprise
Many companies are not investing in mobile app security. According to the IBM Security and Ponemon Institute research paper “The State of Mobile Application Insecurity,” 50 percent of organizations allocate no budget for mobile security. Perhaps this is why more than half of all respondents felt their apps were likely to be hacked within the next six months.
Something Must Be Done
Even without experiencing cyberattacks on their apps, about 80 percent of health app users would change providers if their apps were known to be vulnerable or if alternative apps that incorporated improved security protection were available. Interestingly, more than 75 percent of mobile health app executives also believed that users would change providers if they knew their apps were insecure or if a similar provider offered a more secure mobile app.
Ignorance Must Be Bliss
There were more than 3 billion mobile health apps downloaded in 2015 from major app stores, according to “The 2015 mHealth App Developer Economics Study.” As noted by this research, if health app users actually knew how vulnerable their apps are, there would be a mass exodus of users fleeing to health care organizations that develop more secure, trusted mobile apps.
What Can Be Done to Improve Application Security?
For Health Care Organizations
- Set your security bar above the regulators. Regulatory bodies currently lag behind the current activities of cybercriminals, they likely always will. Apps approved by trusted sources such as FDA or NHS are often no more secure than unapproved apps. As previously stated, 84 percent of the FDA-approved apps and 80 percent of the apps formerly approved by the NHS had at least two critical OWASP mobile top 10 risks.
- Strengthen the weakest links. Address elements of the OWASP risks that are being neglected. For example, 79 percent of the apps tested had a transport layer vulnerability and 97 percent lacked binary code protection — the most prevalent security vulnerability identified.
- Make security a competitive advantage. Market the strength of security you offer to attract and retain your customer base.
- Align spending with risks. The mobile insecurity study revealed that security spending is disproportionately allocated based on where there is risk. While the majority of risks are at the application layer, there is relatively little application-focused spending, particularly when compared to the network-focused spending.
- Download apps only from authorized app stores. Most authorized app stores have more rigorous security protocols in place to help ensure apps can be trusted.
- Don’t jailbreak or root mobile devices. Jailbreaking or rooting devices negates critical security measures that are designed to help protect you and your data.
- Demand more transparency about the security of the apps you are using. As the old adage goes, knowledge is power. For example, many foods you purchase are required to be labeled with nutrition information to help you make better-informed decisions. Before you download a mobile app, wouldn’t you want to know what risks you may be opening yourself up to? Become an advocate for app security certification and risk transparency.
For Policymakers and Regulators
- Establish a seal of approval for app security. Require apps to make available an OWASP or similar risk rating for critical apps. Consumers need to know what risks they are accepting before downloading an app. The health care community, including health care providers, medical device manufacturers and others, need to incorporate risk as a fundamental consideration before making app recommendations to patients and app users.
This blog was authored by Patrick Kehoe, CMO, Arxan.