Today’s healthcare landscape is increasingly becoming more digital, and apps have become the latest area of innovation for many hospitals and healthcare organizations. Innovators large and small are working to create apps and bring them to market as quickly as possible. However, the latest trend in digital healthcare has also become a huge concern when it comes to cybersecurity.

According to the recent (SMART) Health IT study, an application’s privacy and security capabilities is a primary concern for healthcare providers. What are the biggest cyber risks with digital health apps? And, more importantly, what can healthcare organizations who are currently using or exploring the idea of creating an app do to protect themselves? Here are three security challenges to consider with digital health apps, as well as four keys to protecting those apps against potential cyber risks.

3 Security Challenges with Digital Health Apps

The primary reason digital health applications are so concerning to cybersecurity professionals is that they don’t have direct access to control them. The mobile devices which store the apps are being managed and operated by a human being outside their control. This creates three specific challenges when it comes to protecting apps against cyber risks:

  1. Mobile devices, which store the apps, can be easily stolen. Mobile devices are easily lost or stolen. Of the millions of smartphones stolen each year, 34% aren’t protected with a PIN, and even fewer are protected by a strong password. When a mobile phone is stolen, enterprise data or credentials are put at risk, along with personal information.
  2. Users don’t know what they’re authorizing with other apps. Most smartphone users download at least one new app per month, many of which ask for an “authorization” that is immediately accepted. These apps can then be used to access sensitive data stored on digital health apps. A 2013 analysis of mobile medical, health, and fitness apps offers some disturbing statistics: only 50% of apps encrypted personally identifiable information (PII) being sent over the Internet; 83% of both free mobile health and fitness apps store data locally on the device without encryption.
  3. Mobile devices have inherent vulnerabilities. The operating system, utilities provided by the carrier, and legitimate third-party apps are all systems that can account for data loss and leakage.

Today’s cyber attackers are posed to leverage these vulnerabilities. However, such concerns shouldn’t prevent your hospital or organization from deploying a digital health app. As with other cloud-based devices, there are ways to mitigate the cyber risks of mobile apps.

4 Keys to Protecting Your Digital Health Apps

  1. Ensure the app, at the very minimum, addresses HIPAA requirements. Healthcare providers working with app developers need to make sure they have a clear understanding of what HIPAA requires in a specific app.
  2. Enforce better cybersecurity standards across the board. The best way to protect your organization from a cyber-attack that comes from a third-party device is to leverage intrusion detection systems/intrusion prevention systems (IDS/IPS), and robust identity and access management (IAM) solutions. These will help detect and prevent any potential attacks against your network or resources in the Cloud coming from an app—or any third-party device for that matter.
  3. Consider adding multi-factor authentication to your app. Although not bulletproof, multi-factor authentication is a proven way to lessen the likelihood of a data breach via a compromised password.
  4. Perform an independent assessment of your app vendor’s security controls and pen test the application. It’s important to ensure the developers you’re using are also implementing security best practices before they integrate with your systems. If they’re vulnerable to an attack, you’re also vulnerable to an attack. Any app that carries your company’s name and your customer’s data should be rigorously tested before it goes live.

Digital health applications are only going to increase in popularity as our world becomes increasingly mobile. Managing all the requirements for proper compliance is vital, but it can be overwhelming at times. That’s where BALLAST comes in.

BALLAST was specifically built to make the process of evaluating the risks associated with protecting your medical devices and patient data from cyber-attacks easier. It also helps ensure your organization is implementing the proper processes and technologies for healthcare cybersecurity.

Whether you’re looking for assurance that your digital health application is adequately protected or for ways to enhance your overall cybersecurity efforts, connect with our team to learn how BALLAST can help.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.