mHealth Breach: 23 Million Users of Mobile Health Apps Exposed to Attacks

mHealth (meaning ‘mobile health’) applications once had a niche place in the app ecosystem. mHealth first appeared to control chronic diseases, from diabetes to thyroid issues, maternal care, asthma, and more. mHealth evolved and expanded to include mental health and even holistic approaches like meditation. Pre-2020, perhaps the most significant surge for the mHealth market came from how we integrated fitness and the Internet. Instagram fitness influencers, wearables like Apple’s Smartwatch, and sharing our fitness statistics with friends and teammates – Thanks to mHealth, the pure scientific knowledge of our own fitness metrics are more apparent now more than at any other point in history. mHealth has seen a steady increase in popularity, especially amongst hospitals and caregivers. These apps grew ever more complex with additional functionality. At the higher end of the spectrum grew more personal – Many require personal medical information, medical history, names, address, and even social security numbers. In 2018, it was reported that “73% of hospitals surveyed have developed or were developing mobile strategies to address the communications, collaboration, and computing requirements of clinical professionals and other mobile workers across medical departments, standalone hospitals, and ambulatory environments.”. The World Health Organisation (WHO) said mHealth brought “New horizons for health through mobile technologies.” However, if you weren’t involved in the medical field, didn’t have a chronic illness or other health concerns, you prefer to track your fitness in a more analog sense, you may not have heard much about mHealth. Our approach to health as a whole changed, of course, with the beginning of the COVID-19 outbreak. mHealth stood out as the ideal way to track COVID-19 infections and implement contact tracing, and more than 60 governments implemented COVID-19 mHealth applications for their citizens. If anything becomes popular in our digital society, it will eventually draw cybercriminals and criminal organizations’ gaze. To combat this, best practices are put in place as the first line of defense. However, for mHealth, these practices have not been followed, which has led many mHealth users vulnerable in the face of data breaches and identity theft.

mHealth Vulnerability

In early February 2021, Knight Ink conducted a vulnerability study on the major mHealth apps and found startling results. Alissa Knight, the founder of Knight Ink, attempted to penetrate 30 leading apps under the agreement she would not publicly name the vulnerable ones. It turns out that all 30 had major vulnerabilities. The majority of the vulnerabilities were related to API attacks. An API, or application programming interface, is a module that allows apps and databases to talk to each other and exchange information. Most apps will use several APIs in their architecture. The weaknesses in how the API’s were established within the apps meant that hackers could very quickly intercept Personally Identifiable Information (PII) and Protected Health Information (PHI). Furthermore, nearly 30% of the apps had no code obfuscation mechanisms, meaning criminals could easily reverse-engineer them. Many also lacked security certifications that protect against a wide variety of attacks. 100% of the apps were vulnerable to Broken Object Level Authorization (BOLA) attacks. Functionally what this means is that the authorization to view data hasn’t been applied correctly, and access can be granted to anyone with the knowledge to view anyone’s PII and PHI they’d like. BOLA attacks are the most serious kind of attacks that can be carried out on any application that holds sensitive records. In her report, Knight said, “Simply put, a BOLA vulnerability enables an adversary to substitute the ID of a resource with the ID of another. When the object ID can be directly called in the URI, it opens the endpoint up to ID enumeration that allows an adversary the ability to read objects that don’t belong to them. These exposed references to internal implementation objects can point to anything, whether it’s a file, directory, database record or key.” Having access to patients’ records means that nearly all information is available to a hacker: lab results, x-ray images, blood work, family history, birth dates, Social Security numbers, and more.

Medical Records and Hackers

Medical records have long been high on any hackers list of targets, as they provide a treasure trove of information about thousands of individuals. We often hear of hospitals have data breaches, and this is why. When asked about the going rate for medical information for hackers, Knight stated a Social Security number is $1, and a credit-card number sells for about $110. Still, the real money is in full medical records, at about $1,000 apiece. Full medical records sell for such a price because they can completely set up an organization to carry out identity theft. All PII and PHI are stored within those reports. Though often making headlines for breaches, there is a much greater number of stories about how hackers couldn’t penetrate a hospital’s network. Given that they have such a target on their back, hospitals have some of the best cybersecurity within their buildings available in the industry. For that reason, a vulnerability in mHealth is much more notable. With the advent of COVID, hospitals are showing greater reliance on mHealth. Hackers no longer have to circumvent complex cybersecurity mechanisms but can easily penetrate a series of mHealth apps and steal the same information.

Better CyberSeurity Practices

Knight’s report was recent, and nearly all of the mHealth vendors on the list have been rushing to make security changes. However, this may be too late, and data may already be taken – Hackers don’t always leave a trail of bread crumbs after an information heist. Apps, mHealth or otherwise, nearly always have some vulnerabilities. Humans are flawed creatures, and the apps they write can be imperfect too. These vulnerabilities are usually on a smaller scale, and the vulnerabilities found within mHealth aren’t as much human error as they are human negligence. It is clear the developers of the apps and the management behind them did not follow best practices when it comes to cybersecurity. Certificates missing, foregoing code obfuscation, and leaving API’s open to BOLA attacks are not human errors but instead reflect a lack of planning and consideration. Outside of app development, many best practices are being ignored by individuals in the industry. Many breaches we hear about, especially in small and medium businesses, can be avoided with education, care, and the right tools to ensure protection. We are at a crossroads in cybersecurity in the workplace, and business leaders must take heed and act accordingly. One of tools business leaders can implement is SaferNet. SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.