{"id":15062,"date":"2019-04-10T08:10:14","date_gmt":"2019-04-10T16:10:14","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/04\/10\/news-8811\/"},"modified":"2019-04-10T08:10:14","modified_gmt":"2019-04-10T16:10:14","slug":"news-8811","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/04\/10\/news-8811\/","title":{"rendered":"Who is managing the security of medical management apps?"},"content":{"rendered":"

Credit to Author: Kacy Zurkus| Date: Wed, 10 Apr 2019 15:00:00 +0000<\/strong><\/p>\n

One truth that is consistent across every sector\u2014be it technology or education\u2014is that software is vulnerable, which means that any device running software applications is also at risk. While virtually any application-running device could be compromised by an attacker, vulnerabilities in medical management apps pose a unique and more dangerous set of problems.<\/span><\/p>\n

Now add to vulnerabilities the issue of data privacy<\/a>, especially that of sensitive medical information, and you have a perfect storm.<\/p>\n

In a recent report, <\/span>Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis<\/span><\/a>, published by BMJ, researchers analyzed the top-rated Android apps for medicine management and found that 19 out of the 24 tested apps shared user data outside of the app.<\/span><\/p>\n

Because medical records are such a lucrative data set, attackers often target the healthcare industry, seeking out and eventually finding the weakest link in the supply chain. That’s why it\u2019s important for stakeholders to consider the broader implications of weaknesses in health and medical apps.<\/span><\/p>\n

According to the US Food & Drug Administration (FDA), medical apps that pose risks to patient health and safety have been regulated since 1997. \u201c<\/span>While many mobile apps carry minimal risk, those that can pose a greater risk to patients will require FDA review.\u201d<\/span><\/p>\n

As medical management apps offer the convenience of care at home, some devices have become directly intertwined with patient care. While some apps may only offer benign image-processing services, others\u00a0may include\u00a0data on test results, appointments, drug refills, and more. seem benign that some medical. This is why the FDA categorizes medical apps by risk. <\/span><\/p>\n

What could go wrong?<\/h3>\n

Security concerns come not necessarily from the app itself, but from third parties that are creating the apps that interface with that data. \u201cDevelopers relied on the services of infrastructure related third parties to securely store or process user data, thus the risks to privacy are lower. However, sharing with infrastructure related third parties represents additional attack surfaces in terms of cybersecurity,\u201d the BMJ report said.<\/span><\/p>\n

\u201cFurthermore, the presence of trackers for advertising and analytics, uses additional data and processing time and could increase the app\u2019s vulnerability to security breaches.\u201d<\/span><\/p>\n

Data that sits on any app or database can be compromised, but medical management apps are home to a trove of private information and different types of proprietary data, as well as whatever the healthcare provider has interfacing with that app, according to penetration tester, Mike Jones.<\/span><\/p>\n

\u201cFrom what I\u2019ve experienced with medical management apps, the risks are through the roof because the apps are not under the same regulations as the Health Insurance Portability and Accountability Act (<\/span>HIPAA<\/span><\/a>). When you look at the amount of data that any kind of home health or medical service offers, if it is managed through an app, one of the biggest concerns is data leakage.\u201d<\/span><\/p>\n

Sharing and selling data might be a new reality in today\u2019s digital, research-driven world, but it\u2019s important to first strip the data of its context so that patient privacy is not interfered with. Yet, sharing and securing data don\u2019t have to be mutually exclusive concepts, said Warren Poschman, senior solutions architect at\u00a0<\/span>comforte AG<\/span><\/a>.<\/span><\/p>\n

\u201cWant to know what meds I\u2019m taking or what procedures I\u2019ve had so it can be cross referenced and insights gained? Absolutely! Want to know that it was me specifically that takes that medication or has had those procedures? Absolutely not! Regulatory bodies need to start ensuring that companies anonymize the data so that it can be safely used no matter where it travels to.\u201d<\/span><\/p>\n

Risk extends beyond the medical data<\/h3>\n

Perhaps even more concerning than an attacker being able to access the data collected or stored on these apps is the reality that if a malicious actor tampers with them, patients can get the wrong medications or medications could be diverted to different places, Jones said.<\/span><\/p>\n

In <\/span>Hacking the Hospital<\/span><\/a>, a two-year study that evaluated cybersecurity risks in hospitals, Independent Security Evaluators (ISE) found two different web applications through which an adversary could remotely \u201cdeploy attacks that target and compromise patient health. We demonstrated that a variety of deadly remote attacks were possible within these facilities,\u201d the report said. That was in 2016. <\/span><\/p>\n

Fast forward three years, and ISE, executive partner Ted Harrington remains concerned about the risks to patient safety with medical management apps. <\/span><\/p>\n

\u201cWhat is critically important is that these solutions ensure that the appropriate amount of medicine goes to the right patient.\u201d<\/span><\/p>\n

When it comes to patient safety, the healthcare industry has established practices of redundancies, but these practices have largely been influenced by regulations. Highly-regulated industries are motivated to make changes in order to be compliant, but compliance isn\u2019t synonymous with security, Harrington said. <\/span><\/p>\n

Though many medical apps are regulated by the FDA, medical management apps don\u2019t fall under HIPAA regulations, and those established practices that ensure patient safety among the providers and staff aren\u2019t usually extended to software.<\/span><\/p>\n

Still, there are a variety of direct and indirect implications for those that are responsible for delivering care if medical apps are compromised in any way. <\/span><\/p>\n

\u201cThe delivery of care relies heavily on technology, which needs to be accurate,\u201d Harrington said. \u201cIf there were instances that demonstrated these solutions are inaccurate, that could undermine faith in technology, and that can negatively impact things like the speed at which professionals can deliver care. Speed is second only to accuracy in the delivery of care.\u201d<\/span><\/p>\n

Where do apps go from here?<\/h3>\n

It\u2019s a question to which there is no single, clear answer. The complexities and speed of innovation have created formidable obstacles when it comes to the security of medical and health apps. <\/span><\/p>\n

As technology advances, more developers are relying on artificial intelligence and machine learning in software,<\/span> \u201cderiving new and important insights from the vast amount of data generated during the delivery of health care every day. Medical device manufacturers are using these technologies to innovate their products to better assist health care providers and improve patient care,\u201d according to the <\/span>FDA<\/span><\/a>.<\/span><\/p>\n

These changes in technology also drive the evolution of regulations, which Jones said have to ensure security throughout the development lifecycle. The FDA is, in fact, \u201cconsidering a total product lifecycle-based regulatory framework for these technologies that would allow for modifications to be made from real-world learning and adaptation, while still ensuring that the safety and effectiveness of the software as a medical device is maintained.\u201d<\/span><\/p>\n

Greater than good intentions<\/h3>\n

Without falling victim to fear, uncertainty, and doubt, there is reality to the belief that medical management apps can be the difference between life and death. To shift the focus from compliance to security, Harrington said, \u201cWe need to understand technology the way an attacker would understand it. How would a hacker exploit this technology? So, you start with building out a threat model.\u201d<\/span><\/p>\n

Not all hackers are financially motivated, which is why it\u2019s also important to perform a security assessment that goes beyond running a scanner. \u201cThat\u2019s ineffective,\u201d said Harrington. \u201cYou need to go deeper, as deep as an attacker would.\u201d<\/span><\/p>\n

Increasingly, more security-minded professionals are advocating for developers to take more personal responsibility. I am the Cavalry, for example, recently published <\/span>The Case for a Hippocratic Oath for Connected Medical Devices: Viewpoint<\/span><\/a> in the Journal of Medical Internet Research (JMIR), in which the authors ask whether <\/span>manufacturers and adopters of these connected technologies should be governed by the symbolic spirit of the Hippocratic Oath.<\/span><\/p>\n

\u201cThe idea of holding developers responsible is in the right spirit,\u201d Harrington said. After all, if a bridge collapses and an investigation finds that it was structurally deficient, contractors, inspectors, maintenance, and even the engineers who designed the bridge can be charged with negligence. Should not the same be true of those that build the technology that bridges the gap between medical professionals and patients?<\/span><\/p>\n

The post Who is managing the security of medical management apps?<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Kacy Zurkus| Date: Wed, 10 Apr 2019 15:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Because medical records are such a lucrative data set, attackers often target the healthcare industry, seeking out and eventually finding the weakest link in the supply chain. That’s why it\u2019s important for stakeholders to consider the broader implications of cybersecurity weaknesses in medical management apps. But who should be held responsible?<\/p>\n

Categories: <\/p>\n