Philip's HealthSuite Android app poses possible security risk

Both Philips and the Department of Homeland Security warned of the app's inadequate encryption strength and vulnerability to hackers.
By Laura Lovett

Last week the Department of Homeland Security and Philips issued notices alerting the public to possible cyber security risks in Philip’s HealthSuite Health Android app. 

The DHS said the risk was related to inadequate encryption strength and warned that it would not be difficult for hackers to exploit this vulnerability. 

“Successful exploitation of this vulnerability may allow an attacker with physical access to impact confidentiality and integrity of the product,” the DHS wrote in its warning. 

The app can connect to Philip’s health monitoring devices including a health watch, connected scale, blood pressure monitor and thermometer. 

Earlier last week Philips also issued a statement about the potential risk, clarifying that as of now no one has reported being hacked.  

“At this time, Philips has received no reports of exploitation of this vulnerability or incidents from clinical use that we have been able to associate with this vulnerability," Philips wrote in a statement addressing the problem. "Philips analysis indicates that there is no expectation of patient hazard due to this issue."

The company said it will be launching new software in the first quarter of 2019 to address the vulnerability. Until then Philips recommends users avoid jail-breaking or rooting their smart phones. 

Why it matters

While no exploitations have been reported thus far, Philips said that if a hacker is able to access to a user’s app they could access data that could be detrimental to the “confidentiality and integrity of the product.” 

What's the trend

The digital health world is no stranger to hacks. In July, research center Appthority reported that a security vulnerability affecting more than 3,000 mobile apps was exposing more than 4 million protected health records, which include prescription details and sensitive chat messages. 

Cybersecurity made headlines last January when the Institute for United Conflict Analysts discovered that fitness app Strava’s heat map data betrayed the locations of US military bases and patrol routes. 

This prompted the pentagon to clamp down on wearable fitness devices and implement new restrictions which specify that military personal deployed in operational areas will not be allowed to use wearable trackers or smartphone apps, government issued or otherwise, that can identify their location.