Mobile applications are widely understood to have security gaps, but things may be even worse than they appear.
That’s as true among mHealth apps as any other category.
“Today, with the advent of mobile, the whole attack surface has fundamentally changed,” says Aetna Chief Information Security Officer Jim Routh.
Malware, phishing and lost or stolen smartphones, tablets and thumb drives make it nearly impossible to secure every endpoint — and each of those potentially contain either protected health information or a way into hospital networks.
Whereas myriad health data breaches occur because an employee loses his or her device, analysts like Gartner and the Ponemon Institute envision a greater number of attacks in the coming years.
[mHealth masters: Continua's Chuck Parker says the time is right for smartwatches.]
“By 2017 the focus of endpoint breaches will shift to tablets and smartphones. Already there are three attacks to mobile devices for every attack to a desktop,” Gartner Principal Research Analyst Dionisio Zumerle said in a prepared statement. “The security features that mobile devices offer today will not suffice to keep breaches to a minimum.”
The apps themselves are particularly vulnerable and will likely remain so as the vendors offering existing testing protocols, static application security testing (SAST) and dynamic application security testing (DAST) come up to speed on mobile apps, which Zumerle called a new area even for these experienced testers.
And while behavioral analysis is emerging as a young breed of security testing specific to mobile software by essentially gauging malware or risky behavior on the part of apps, Gartner said testing the client layer is not enough.
“The server layer should be tested as well. Mobile clients communicate with servers to access an enterprise's applications and databases,” Gartner cautioned. “Failure to protect a server poses the risk of losing the data of hundreds of thousands of users from the enterprise's databases.”
It gets more thorny when considering that Gartner's research found more than 90 percent of enterprises, not limited to but including healthcare entities, use third-party software for their mobile BYOD strategies, 75 percent of mobile apps will fail the existing security tests well into 2015 and, in turn, through 2017 75 percent of breaches will come about because of “mobile application misconfigurations.”
Indeed, that change is already underway, Routh said.
“Cracking the OS is really not where the risks are today,” he explained. “It’s the software you’re loading onto your device.”
Related articles:
Vicious circle: IT sets BYOD and social media policies, but users disagree
Verizon, Ginger.io target Medicaid's most expensive patients
