Introduction and Context
This blog provides a snapshot of mobile app security in Healthcare based on an extensive study performed by Osterman Research and published in the Approov-sponsored report “The State of Mobile App Security in 2022”, in July this year.
A second blog released today provides the same level of information and analysis for the Financial Services Industry.
In a follow-up to the research issued in the report, Osterman Research has issued new mobile app security findings by sector for Healthcare and financial services.
The findings reveal both the growing dependence of each sector on mobile apps, and some sector-specific gaps between the strategic importance of mobile apps and the attention and resources allocated to protecting mobile apps against runtime threats.
The findings were based on a survey of 302 security directors and mobile application development professionals in the US and UK who identified themselves as being employed in Tech, Financial Services, Healthcare or “other” sectors. The original report and a 30 minute video summarizing the findings are available here.
All sectors saw a sudden mass migration to online services in the last 2 years and in general, mobile apps have rapidly become business-critical, with their importance across industries tripling in the last 2 years – they are expected to become even more essential by 2024 – 92% of respondents say they will be critical to the business by then.
Healthcare Specifics
Use of mobile apps in Healthcare was already trending up before it became a massive spike in 2020 with the growth in demand for virtual healthcare. Since the pandemic, mobile access to Healthcare has become essential. Doctors are no longer working within secure hospital networks and patients are accessing care remotely.
These apps are used by practitioners for all aspects of treatment and practice management and by patients to control and access healthcare data. In addition, government regulations are driving adoption by pushing patient ownership of data as well as innovation through interoperability via standardized APIs such as FHIR. Apps must be protected in order to prevent unauthorized access to Personal Health Information (PHI) and to ensure HIPAA compliance in this highly regulated industry, but a number of reports in 2021 showed that mHealth apps were exposed.
Approov sponsored two major reports in 2021 on the state of security of mobile healthcare apps as well as FHIR healthcare APIs.
The new Osterman research found that the importance of mobile apps in Healthcare more than tripled between 2020 and 2022, with 17 percent of respondents reporting mobile apps as critical to business operations in 2020, and 60 percent of respondents reporting the same in 2022.
In the Tech sector, on the other hand, mobile apps were considered critical to the line of business operations in 2020 by 68 percent of respondents. In 2022, 86 percent of Tech respondents cited mobile apps as critical to their organization’s business.
Michael Sampson, the author of the report, Senior Analyst at Osterman Research said,
“The technology vertical adopted mobile apps earlier but over the last 2 years, other verticals such as Financial Services and Healthcare have been scrambling to catch up.”
A rapid rate of change in the criticality of mobile apps inevitably puts pressure on organizations to rush new features to market and this is reflected in the findings.
For Healthcare, 43 percent of respondents indicated that their organizations prioritized bringing new features to market over fixing known insecurities.
Michael Sampson, says, “This dynamic environment unfortunately seems to lead to a situation where new features are prioritized over security.”
There are particular security issues in Healthcare highlighted in the report:
- In industry verticals other than Healthcare, respondents reported knowing whether API keys were exposed. In Healthcare, however, 13 percent of respondents did not actually know if their mobile app API keys were exposed – a much higher percentage than other verticals.
- Poor visibility to the incidence of security incidents was widespread in Healthcare for a number of common threats, consistently 2-3 times worse than in Tech.
- One example is that in Healthcare, the lack of visibility to “scripts stealing data from APIs” was 3 times worse than in tech with 77% of respondents reporting limited visibility.
- Another example is “fake account creation” where twice as many respondents in Healthcare reported poor visibility (70%) than in Tech.
In Summary
Findings from “The State of Mobile App Security in 2022” show that, in Healthcare, both the race to adopt mobile apps and the regulatory pressure to open up access to patient records has exposed security issues and the industry is scrambling to catch up.
Embracing secure development practices for building mobile apps and APIs is essential to safeguard Personal Health Information, and in addition a run-time security strategy must be put in place to protect misuse of stolen credentials to steal PHI.
Learn more about Approov in Healthcare here and learn how a free 30 day trial would help you gain visibility to mobile app threats here.
*** This is a Security Bloggers Network syndicated blog from Approov Blog authored by George McGregor. Read the original post at: https://blog.approov.io/the-state-of-mobile-app-security-in-2022-in-healthcare