“We’ve had 20 years to learn and perfect desktop security,” Jeff Forristal says. And not nearly as much time for securing mHealth apps and devices.
As CTO of mobile data security company BlueBox, Forristal sees today’s security weaknesses as a result of the mHealth industry’s immaturity, rather than mobile apps and devices being inherently less secure than their desk-bound brethren.
The attack on Community Health Systems just last month — wherein hackers used malware to infiltrate the massive 206-hospital, 28-state network and get away with 4.5 million records — was something of a shocker. But it’s merely the latest in a long line of such attacks, and plenty of security experts are warning that things will get worse before they get better.
Operating systems and apps
Consider that the most common category of malware masquerading as mobile apps is anti-virus security.
“As of April this year, of the 890,482 sample fake apps discovered from serious sources, 394,263 were detected as malware,” according to a 2014 report from Trend Micro.
What’s more, 77 percent of the 50 most popular mobile apps had fake versions, 40 percent of those categorized as medical were also phony but made to resemble the real thing — and of that 40 percent, half were deemed “malicious.”
[Related: 6 tips for vetting mobile apps.]
On the smartphone side, Android-powered devices are the most frequently targeted because the open platform makes it easier to install a malicious application than on an iPhone or a BlackBerry, according to Armando Orozco, mobile security expert and senior malware intelligence analyst for Malwarebytes, and other analysts.
“The older BlackBerrys are the most secure. They take enterprise security seriously,” Orozco said. “The iPhone is pretty well locked down, but Android is more of the Wild West.”
Hospital CIOs and administrators should require the use of a select list of approved devices and bar medical staff from downloading any application onto devices other than applications sent from headquarters, so to speak.
Healthcare organizations must also be willing to severely limit staff and patient access to records. Despite reassurances from Apple, BlackBerry and Google on how fastidious they are in keeping malicious applications off their sites, remembering that anti-virus applications are the favorite haunt of cyber thieves, perhaps the best bet is to require all healthcare employees to download these necessary applications only from the legitimate manufacturer’s site rather than from an application store.