“We’ve had 20 years to learn and perfect desktop security,” Jeff Forristal says. And not nearly as much time for securing mHealth apps and devices.
As CTO of mobile data security company BlueBox, Forristal sees today’s security weaknesses as a result of the mHealth industry’s immaturity, rather than mobile apps and devices being inherently less secure than their desk-bound brethren.
The attack on Community Health Systems just last month — wherein hackers used malware to infiltrate the massive 206-hospital, 28-state network and get away with 4.5 million records — was something of a shocker. But it’s merely the latest in a long line of such attacks, and plenty of security experts are warning that things will get worse before they get better.
Operating systems and apps
Consider that the most common category of malware masquerading as mobile apps is anti-virus security.
“As of April this year, of the 890,482 sample fake apps discovered from serious sources, 394,263 were detected as malware,” according to a 2014 report from Trend Micro.
What’s more, 77 percent of the 50 most popular mobile apps had fake versions, 40 percent of those categorized as medical were also phony but made to resemble the real thing — and of that 40 percent, half were deemed “malicious.”
[Related: 6 tips for vetting mobile apps.]
On the smartphone side, Android-powered devices are the most frequently targeted because the open platform makes it easier to install a malicious application than on an iPhone or a BlackBerry, according to Armando Orozco, mobile security expert and senior malware intelligence analyst for Malwarebytes, and other analysts.
“The older BlackBerrys are the most secure. They take enterprise security seriously,” Orozco said. “The iPhone is pretty well locked down, but Android is more of the Wild West.”
Hospital CIOs and administrators should require the use of a select list of approved devices and bar medical staff from downloading any application onto devices other than applications sent from headquarters, so to speak.
Healthcare organizations must also be willing to severely limit staff and patient access to records. Despite reassurances from Apple, BlackBerry and Google on how fastidious they are in keeping malicious applications off their sites, remembering that anti-virus applications are the favorite haunt of cyber thieves, perhaps the best bet is to require all healthcare employees to download these necessary applications only from the legitimate manufacturer’s site rather than from an application store.
A few words of caution
Don't be satisfied with any software company that touts a “HIPAA-compliant” solution. In some cases this statement alone is mere marketing puffery. If the solution is coming from a software provider, for instance, HIPAA does not give those developers a laundry list of what tools and procedures must be in a software solution in order to be secure. Rather, it just carries a big stick, saying if it turns out you are not secure, your organization is liable and it doesn’t matter whether you tried hard to be secure or not.
Sometimes the simplest questions can be quite revealing.
You might naively ask, “if your app is so secure, why do you suggest we log out immediately after use? Does that mean the longer it is up the easier it is to have a breach?” If the answer is yes then you might follow up, “why is that? I thought your software was secure from a breach?”
Beware of a provider’s inability to give a straightforward yes or no answer.
“Will your single solution protect all of my various applications that the 20 or so different departments in our organization use?” A lengthy response that's hard to follow should put you on alert.
Another important question: “If we decide after a time to go elsewhere will you help us disengage from your product and port to a new solution?” You may get some very interesting responses with this one.
So, if the mHealth security industry is still young, as Forristal said, then that leaves it up to hospital IT shops to be the mature ones in the room and not rush into anything without serious forethought.
Ephraim Schwartz is a freelance writer based in Burlington, Vt. Schwartz is a recognized mobile expert and columnist, having spent 15 years as Editor-at-Large for InfoWorld, half of them covering the mobile space. Prior to that he was Editor-in-Chief of Laptop Magazine.
Related articles:
Want to secure your EHR from hackers? Protect those mobile devices
Tech titans' battle turns to mHealth
mHealth masters Q&A: AirStrip CEO Alan Portela
