Report: FDA-approved mobile health apps pose security risks

Of 19 U.S. Food and Drug Administration-approved mobile health apps tested for security, 84 percent did not adequately address at least two of the Open Web Application Security Project's mobile top 10 risks--application code tampering and reverse-engineering--according to a new report published by security vendor Arxan this week.

The report analyzed a total of 126 popular mHealth and finance apps from the U.S., U.K., Germany and Japan; of those, 71 health apps were examined. Eighty-six percent of those 71 had at least two critical security vulnerabilities, according to the report.

Both of the aforementioned risks can lead to privacy violations, theft of personal health data and tampering with data, according to the report. They also could open the door for an app to be reprogrammed to deliver a lethal dose of medication, the report's authors said.

While the majority of enterprise security risks are at the application layer, tech spend remains largely focused on protecting networks and data, Patrick Kehoe, CMO of Arxan Technologies, told FierceMobileHealthcare in an interview.

"First, those who own security budgets need to ensure that they are aligning spend with where the risks are," Kehoe said. "Application hardening needs to become a standard and final step within the mobile application development lifecycle that everyone follows.

He added that "beefing up protection" of the communications between the mobile app and medical device is becoming essential.

Hacks and breaches in the healthcare industry are likely to get worse in 2016 unless organizations shore up security, educate mHealth users about privacy and invest in security of the tools, according to Chris Bowen, chief privacy and security officer and founder of security firm ClearDATA.

The new report comes just after the National Science Foundation announced a $10 million research effort aimed at shoring up patient data security and user confidentiality with mHealth tools.

The findings, Kehoe said, illustrate that awareness of vulnerabilities by users and IT organizations is currently quite low.

"Patent safety is a serious risk and therefore a significant priority--medical device apps that are tampered with and reverse-engineered due to lack of binary protections could lead to malicious malfunctioning of medical devices and lethal doses of medication being delivered to patients," he said.

For more information:
- read the report