SecureState Blog

Read SecureState's award winning blog.

Protecting Your Mobile Health Data

Consumers are more heavily than ever relying on their smartphones to manage all aspects of their lives, including their health. Corporations such as Google and Apple are jumping into this growing market for mobile health apps. Apple’s recently launched “Health” aggregates data from a variety of health and fitness apps and offers integration with the upcoming iWatch. As Apple states, you decide what information is placed in Health and shared with external health apps, social media apps, and even your doctor. With responsibility for personal data being placed in the hands of users, what should you know before sharing your personal health information (PHI) with your phone?

What are the Vulnerabilities?

Health apps face the same vulnerabilities as all mobile apps. Of the Open Web Application Security Project (OWASP) top 10 risks facing mobile app, health app developers need to pay special attention to risks related to authentication, data storage, and client-side injection.

•  Poor Authorization and Authentication: Authentication is crucial to verifying that users accessing personal health records are who they claim to be. One of the biggest mobile authentication vulnerabilities results from Insecure Direct Object References. This occurs when an application uses the actual name or key of an object when generating a web page and does not verify the user is authorized to access the object. Attackers can change parameter values in the URL and access another person’s record. SecureState’s Gary McCully says that developers should ensure that their apps “Always check the authenticated user’s privileges to ensure they have proper permissions to the object they are trying to access.”

  Insecure Data Storage: The intended use of a health app advance may qualify them as Mobile Medical Applications under FDA guidelines, requiring them to meet stringent HIPAA regulations. Developers can save themselves a lot of wasted money and time if they evaluate the eventual necessity of HIPAA compliance early in the development process. For example, a developer may need to completely rebuild a nutrition-tracking app if they want to add a feature allowing users to hold in-app discussions with their physicians regarding their fitness plans. Implementing HIPAA-compliant secure data storage, application architecture, and associated infrastructure will not only future-proof your app, but also improve the security of user information.

  Injection Vulnerabilities: Mobile apps can be vulnerable to SQL Injection Attacks that allow an attacker access into databases that store PHI and possibly run commands on the underlying database server. Developers can minimize injection vulnerabilities by parameterizing queries, whitelisting the characters allowed in the app, and ensuring queries are not run with excessive privileges. Parameterizing queries will ensure that unsanitized user-supplied inputs are not dropped into database queries that run against the backend database.

Developers can minimize these, and other, risks by integrating security throughout the Software Development Life Cycle (SDLC). Generally, SecureState recommends developers implement a six phase secure SDLC process. This process helps developers determine their baseline, define their security requirements, test application security, and verify compliance from deployment to decommissioning.

What Can You Do to Protect Yourself?

You can take the following actions to minimize the risk of your personal health information being accessed inappropriately:

• Password Protect Your Phone: This is the easiest way to prevent unauthorized users from accessing your data

• Anonymize Your Data: If possible, do not put your real name and contact information in the health app

• Activate Remote Phone Wiping: This will allow you to remove sensitive data from your phone remotely or after a certain number of incorrect password attempts

• Review Terms of Use: Identify what app developers will do with your data before signing up so that you are not caught off guard later