For several years experts have warned about security threats to personal health data. In 2018, ECRI Institute singled out cybersecurity as the most significant in its 2019 Top 10 Health Technology Hazards report. Also in 2018, a group of studies and reports found that the weakest links in the chain that protects patient health data are patient bad security habits.
In January this year, San Jose and Edinburgh, Scotland-based mobile application API threat protection company Approov studied of 30 common mobile Health (mHealth) apps and reported that 100% were vulnerable to API attacks. The attacks in all cases could allow unauthorized access to patient information including protected health information (PHI) and personally identifiable information (PII). Researcher Alissa Knight of Knight Ink conducted the study for Approov. You can download the API vulnerability analysis report All That We Let In for free on Approov’s site.
The vulnerable mHealth apps weren’t from small companies. The average mHealth app among the 30 studied was downloaded 772,619 times and expose approximately 23 million mobile app users. Many apps came from highly recognizable sources such as Google, Cisco Umbrella, Microsoft App Center, Amazon AWS, Facebook, Vonage, and SalesForce. Knight Ink discovered API keys and tokens for all of the apps from these major sources. Of the 30 apps tested, 77% had hardcoded API keys that do not expire. Even worse, 50% of the tested APIs did not authenticate access requests with tokens. The vulnerability headlines go on and on.
We have to keep in mind that Approov’s business is selling mobile application API threat protection and that Knight Ink produced the report for Approov. It’s also possible that some of the smaller tested apps not mentioned above may have been rushed to market in the hot health tech space. In spite of the fact that both companies involved in this report have dogs in the hunt, the broad vulnerability of personal information including health information is still shocking.