According to a new report from data security company Arxan, even some FDA-cleared mobile health apps and apps recommended by the UK’s NHS are vulnerable to multiple security risks from the Open Web Application Security Project’s list of top ten mobile security vulnerabilities. On top of that, nearly half of health IT decision makers who oversee apps expect to be hacked in the next six months.
“The impact for healthcare organizations and health app users can be devastating,” Arxan CTO Sam Rehman said in the report. “Imagine having your mobile health app leak your personal health information or your app reprogrammed to instruct you to deliver a lethal dose of medication.”
Arxan commissioned third party surveys of 815 consumers who use health apps and 268 IT decision makers who oversee health apps in the US, UK, Germany, and Japan. They also commissioned a third-party security review of the 71 most popular health apps in the four regions, including 19 with FDA clearance and 15 approved by NHS.
The survey showed that 55 percent of the consumers surveyed actually expect their health apps to be hacked within the next six months, as do 48 percent of IT decision makers.
There’s some baffling inconsistency, though, because the same surveys showed that 78 percent of users and 87 percent of execs considered their mobile app to be “adequately secure”. Half of users and three-quarters of execs felt everything was being done that could be done to protect their apps.
This isn’t the case according to the security review, which found that 86 percent of the 71 apps had at least two critical vulnerabilities out of the 10 found on OWASP’s list. That includes 16 of the 19 FDA-cleared apps and 12 of the 15 NIH-approved apps. The two most glaring vulnerabilities were lack of binary protection, which afflicted 97 percent of apps, and insufficient transport-layer protection, which affected 79 percent of apps.
There’s a cost to having unsecure apps, the consumer survey revealed: 76 percent of health app users said they would change providers if they knew the apps they were using were not secure, and 80 percent would change providers if they knew alternative apps offered by similar service providers were more secure.