Mobile health apps leak sensitive data through APIs, report finds

“Recovering hacker” Alissa Knight calls personal health information the most valuable data on the dark web. The Knight Ink cybersecurity researcher says, “It's 10 times more the price of a credit card for a single PHI record.”

Knight partnered with mobile security company Approov to hack 30 mobile health apps to highlight the threats they face through application program interfaces (APIs). The findings were published in a recent report, “All That We Let In.”

All of the apps were found to be vulnerable to API attacks, and some allowed access to electronic health records (EHRs). The 30 apps collectively expose 23 million mobile health users to attacks, Knight reported. Of the 30 apps tests, 77% contained hardcoded API keys, of which some do not expire, according to the report, and 7% had hardcoded usernames and passwords.

APIs are the communication channels between a mobile app and a cloud service, physical server or hospital infrastructure, explained David Stewart, founder and CEO of Approov.

The threat to APIs is real as Gartner predicts that by 2022 API attacks will no longer be infrequent but will become the most frequent attack vector for application breaches. APIs allow mobile phones to access X-rays, pathology reports and allergy data. The COVID-19 pandemic has accelerated use of mobile health apps and virtual care, and this push motivated Approov and Knight Ink to collaborate on the study, according to Stewart.

RELATED: From weaponized AI to threats against the vaccine rollout, here are 6 cybersecurity trends to watch in 2021

Stewart noted the wide range of mobile health apps that face threats as the security company tested apps from large health care systems as well as mobile health vendors. Knight also tested apps that let clinicians log in and manage patient data. Knight and Approov kept the names of the test apps anonymous.

“There are plenty of mobile health care apps that may not be directly accessing the patient's medical records, but they're still accessing extremely sensitive information, like which prescriptions they take regularly for which drugs,” Stewart said. Other apps that could face threats include apps for mental health services, he added.

During her research, Knight hacked into the system of one hospital, changing the values of an EHR by one digit and then was able to access the health records of the patient’s family members and other information that a hospital’s registration desk had captured for a patient. Knight used a hacking tool that looks like it is generating data from a mobile health app.

“The traffic looks exactly the same as traffic that's coming from the actual mobile app, and that gives the hackers so much more flexibility about the things that they can do,” Stewart explained.

In addition, Knight found that 100 percent of API endpoints were susceptible to Broken Object Level Authorization (BOLA) attacks. The OWASP Foundation, which organizes community-led open-source projects, listed BOLA as the top security risk for APIs. BOLA attacks enabled Knight to view personally identifying information and personal health information that were not authorized in the clinician account the researcher used.

In addition, in 50% of the APIs tested, medical professionals were able to access pathology, X-rays and results of other patients.

RELATED: Could patients be at risk during a hospital cyberattack? It depends how far hackers are willing to go, expert says

“With APIs providing access to the most coveted health data, it is urgent that we secure these APIs,” said Ben Denkers, senior vice president, security and privacy services at cybersecurity consulting firm CynergisTek.

How to protect mobile health data from API attacks

Denkers recommend tools such as APIsec that use security-testing automation to find vulnerabilities in APIs. Mobile application security toolkits like APIsec provide health care API penetration testing.

“We use this as part of our assessments with health care organizations, then we recommend they integrate this deeper into their development and releases processes,” Denkers said. “If you start with building secure APIs, then you will get secure mobile applications and secure web applications will be the default.”

The Approov report suggested certificate pinning as a strategy to protect APIs to prevent expired certificates from blocking access to critical health data. In addition, software developers and healthcare organizations should monitor the controls they implement for apps and adjust them for compliance with laws such as the Health Insurance Portability and Accountability Act (HIPAA).

Knight recognizes the value of healthcare innovation despite the threats to mobile app security. To continue innovation while protecting sensitive data, organizations should implement security in the code from the start when designing mobile health apps, according to Knight.

“We just need to be doing a better job at securing [apps] before they go into production, before we launch them and make them available to the general public, because this is our most sensitive data,” Knight said.