In this article, we’ll be looking at the role that mobile health or mHealth apps and Application Programming Interfaces (APIs) are playing in remote care of the elderly. We shall also consider the vulnerabilities that can afflict these digital platforms, as well as remedial measures and best practices for dealing with these issues.
Charting The Rise Of mHealth And Platforms For Digital Medicine
Reflecting its influence on the uptake of online technologies in all sectors of the economy, the COVID-19 pandemic has accelerated the digital transformation of health care. Remote solutions eliminating the need for physical contact have been helping to slow the spread of the coronavirus, offering protection to both patients and front line health workers.
A global study by Statista charting the increase in the number of medical apps that users downloaded during the height of the pandemic in 2020 reveals some dramatic figures. South Korea witnessed 135% growth and India 90% during this period, while the United Kingdom’s adoption of medical applications grew by 60%.
This trend has particular implications for the world’s steadily aging population. For example, the US Census Bureau is forecasting that by 2034, adults over the age of 65 will outnumber the population aged under 18. Most of these senior citizens will tend to shun nursing home care, preferring the comfort of their own houses and communities.
While this may not be possible in all cases, mHealth apps and digital platforms will play an increasing role as we transition from COVID-19 to an uncertain future. For older adults isolating or wishing to remain at home but requiring care in later years, remote monitoring technology will be able to assist with physical and mental health support and treatment.
Investors in the healthcare space are acknowledging this need, and acting accordingly. For example Connect America, a company with products that focus on virtual and remote care, recently acquired Royal Philips' Aging and Caregiving (ACG) business. This acquisition includes the Philips Lifeline Personal Emergency Response system (PERs), a platform providing 24/7 access for seniors to trained specialist services.
Elsewhere, mobile consultation technologies pioneered during the pandemic may hold the promise of relief for communities and regions having limited health care infrastructures. One example is a project jointly funded by the UK Department for International Development, the UK Economic and Social Research Council, the UK Medical Research Council, and Wellcome. This scheme makes an online training course available to medical professionals in Tanzania, and focuses on remote consultation techniques that can filter down to local communities.
Problems Afflicting Remote Care Medical Apps And APIs
While these initiatives and technological innovations are fine and admirable, mHealth app deployment and remote care implementation do not come without risks. Specifically, mHealth applications can hold valuable personal data -- and many have security vulnerabilities. In addition, the ecosystem sustaining mobile health infrastructure provides avenues for potential cyber-attack.
For a 2020 Security Report on Global mHealth Apps, Approov sponsored ethical hacker and cybersecurity analyst Alissa Knight to make an assessment of security vulnerabilities in mHealth apps and Application Programming Interfaces (APIs).
After testing 100 mHealth apps, Knight concluded that over 70% of mobile health applications available to the public have at least one high-level security vulnerability. Among her statistical findings were a 91% prevalence of weak or mishandled encryption protocols, leakage of data from 85% of the test apps, and the absence of data encryption for storage in 60% of all cases. From the application security perspective, it should have been possible to address 83% of these high-level vulnerabilities using security best practices.
At the API level, attacks using malicious scripts that impersonate the data flow to and from mobile apps are of particular concern. This is the favorite avenue for mobile cyber-attacks, since it eliminates the need for hackers to reverse engineer mHealth applications.
Knight’s research into the exploitation of authentication and authorization flaws during communication sessions involving mHealth apps and their respective APIs enabled her to identify patterns matching digital tokens, API keys, and confidential information such as private certificates and personal credentials.
Among the major flaws that Knight highlights in API security are Broken Object Level Authorization (BOLA) vulnerabilities, during which attackers can send API requests for objects that should be unavailable to them. Poor implementation of Transport Layer Security (TLS) in the current crop of public mHealth apps was also a major issue. These issues, along with the impersonation scripts mentioned above, create a very concerning situation.
Remedial Measures
Broadly speaking, mobile health applications and the APIs they call upon must be secured to prevent unauthorized access to personal data -- and to ensure compliance with HIPAA and other regulations concerning electronic health data and personal health information. As Alissa Knight observes in her study for Approov, most of the high-level mHealth app security issues could have been dealt with using techniques like code obfuscation, tampering detection, and white-box cryptography.
Risk mitigation measures and best practices for securing mobile health apps and APIs include:
- Securing application source code: Use code obfuscation.
- Securing network connections: Ensure strong access controls, authentication or attestation measures of remote clients, and implementation of TLS.
- Securing Application Programming Interfaces: Ensure that authorization, as well as authentication, is in place to protect against malicious script and DDoS attacks.
- Implementing secure encryption: This applies to mHealth data in transit.
At the development level, designers of mHealth apps and APIs for remote care of the elderly should also be performing regular security tests (pentests), in line with prevailing threat intelligence and security best practices. After all, healthcare is a regulated industry and it is expected that companies offering mobile healthcare services are taking appropriate care of the sensitive and personal data that they are handling.
If we are to deliver healthcare services to a growing elderly population while maintaining a strong grip on the security of the patients as well as their sensitive personal data, understanding and addressing the risks associated with services delivered by a mobile touchpoint is vital.