Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

Mobile Apps & Connected Health Care:Managing 3rd-Party Mobile App Risk

Andrew Hoog | Founder | NowSecureNH-ISAC 2017 Third Party Risk Summit

November 2017


▪Andrew Hoog, NowSecure Founder • NowSecure Founder & Board Member• Literally wrote the books on mobile forensics & security• 2 patents for data recovery/forensics• Expert witness• Brief gov’t agencies & top banks on mobile security topics

WHO AM I?

Proud sponsor/supporter of:


TWO VECTORS OF MOBILE APP RISK

CONNECTED CAREBYOD with BYOApps


THE STATE OF BYO IN HEALTH CARE

71% of hospitalsallow BYOD

63% of physiciansuse personal

devices for work(even if BYOD is prohibited)

41% of nursesuse personal

devices for work(even if BYOD is prohibited)

Source: Spoke’s Fifth Annual Mobility Strategies in Healthcare Survey: Results Revealed


AT THE TOP 25 LARGEST US HOSPITALS

Sources:;“Average number of apps installed by users in the United States in 2016, by device” Statista

24,823 Employees (devices) avg

89 Apps per device avg

2,200,000 Points of risk


NIST/NCCOE SECURING EHRON MOBILE DEVICES & APPS

“Health care providers increasingly use mobile devices to receive, store, process, and transmit patient clinical information. According to our own risk analysis, discussed here, and in the experience of many health care providers, mobile devices can present vulnerabilities in a health care organization’s networks.”

NIST Cybersecurity Practice Guide SP 1800-1b


TYPES OF APPS IN CLINICAL ENVIRONMENTS

▪ Medical device control/monitoring▪ Clinical care - scheduling, EMR management▪ Medical Imaging - for viewing MRI, X-ray, etc.▪ Secure/compliant communications - voice, text, alerting▪ Reference - calculators, prescription/diagnostic information▪ Education - continuing medical education (CME), study materials▪ Consumer health - disease management, trackers, etc.▪ Other 3rd-party apps - games, social networking, etc.


WHAT IS THE MOBILE APP ATTACK SURFACE?

8

API BACKEND▪Platform vulnerabilities▪Server misconfiguration▪Cross-site scripting▪Cross-site request forgery ▪Cross origin resource sharing▪Brute force attacks▪Side channel attacks

▪SQL injection▪Privilege escalation▪Data dumping▪OS command execution▪Weak input validation▪Hypervisor attack▪VPN

DATA AT REST

▪Data caching▪Data stored in application directory

▪Decryption of keychain▪Data stored in log files▪Data cached in memory/RAM▪Data stored in SD card

▪OS data caching▪Passwords & data accessible▪No/Weak encryption▪TEE/Secure Enclave Processor▪Side channel leak▪SQLite database▪Emulator variance

DATA IN MOTION

▪Wi-Fi (no/weak encryption)▪Rogue access point▪Packet sniffing▪Man-in-the-middle▪Session hijacking▪DNS poisoning▪TLS Downgrade▪Fake TLS certificate▪Improper TLS validation

▪HTTP Proxies▪VPNs▪Weak/No Local authentication▪App transport security▪Transmitted to insecure server▪ Zip files in transit▪Cookie “httpOnly” flag▪Cookie “secure” flag

▪GPS spoofing▪Buffer overflow▪allowBackup Flag▪allowDebug Flag▪Code Obfuscation▪Configuration manipulation▪Escalated privileges

▪URL schemes▪GPS spoofing▪Integrity/tampering/repacking▪Side channel attacks▪App signing key unprotected▪JSON-RPC▪Automatic Reference Counting

CODE FUNCTIONALITY

▪Android rooting/iOS jailbreak▪User-initiated code▪Confused deputy attack▪Multimedia/file format parsers▪Insecure 3rd party libraries▪World Writable Files▪World Writable Executables

▪Dynamic runtime injection▪Unintended permissions▪UI overlay/pin stealing▪Intent hijacking▪Zip directory traversal▪Clipboard data▪World Readable Files


HOW SECURE ARE MOBILE APPS IN GENERAL?

more likely to leak account credentials

Business apps:

3X 60% oforgs

report an insecuremobile app contributingto a breach

50% ofAndroid apps

dynamically load code missed by static analysis

1% ofAndroid apps

use Google SafetyNet Attestation API properly

35%transmit dataun-encrypted

of apps25%

have at least 1high risk flaw

of apps

Source: NowSecure Software and Research Data 2016-2017, Ponemon Institute 2017 Study on Mobile & IoT App Security


WHO IS RESPONSIBLE FOR 3rd PARTY APP RISK?

10

• Evaluate mobile technology • Establish mobile security and

architecture requirements• Test for vulnerabilities and ensure

security, privacy, compliance

SECURITY & ARCHITECTURE• Centrally coordinate & enable business

mobilization • Support BYOD, COPE & Enterprise

managed devices & apps• Easy, quick vetting of 3rd party mobile

apps to ensure meet policy and governance requirements

MOBILE CENTER OF EXCELLENCE• Establish risk-based guidelines for

mobile app security, compliance and privacy

• Ensure governance and controls in place for all mobile apps

• Track and report on industry compliance and privacy mandates

COMPLIANCE & RISK

3RD-PARTY MOBILE APP RISK IN HEALTH CARE


STATE OF MOBILE APP SECURITY IN HEALTH CARE

▪ Good news:Many developers do the right thing

▪ Bad news:Too many risks still persist

▪ Our Industry Assessment:• Leveraged advanced mobile app vetting technology

to identify security, compliance, and privacy gaps in Android and iOS apps using industry standard CVSS scores

• A number of apps had no severe risks• Numerous apps had significant security risks


iOS: CLINICAL COMMUNICATIONS APPS


iOS: UK MEDICAL REFERENCE APP


ANDROID: INSERTABLE CARDIAC MONITOR(ICM) APP


iOS: ELECTROCARDIOGRAM APP


ANDROID: PATIENT EMR APP


PATH TO MITIGATING 3RD-PARTY APP RISK

● Use 3rd-Party mobile app vetting for existing approved apps already deployed to scope current risk profile

● Identify appropriate mobile app remediations, reconfigurations or removals for existing 3rd-Party apps

● Adjust policiesas needed

● Leverage MDM to fully inventory all mobile apps across enterprise mobile devices

● Use 3rd-Party mobile app vetting across all apps from MDM inventory to scope full risk profile

● Identify & take appropriate remediations & actions

● Continuously monitor all approved 3rd-Party apps for risky updates

● Establish policy & process to take new 3rd-Party mobile app requests and vet app requests before deployment

● Integrate 3rd-Party mobile app vetting into EMM automation, black/whitelisting

1 2 3


NEED TO ADDRESS BOTH VECTORS OFMOBILE APP RISK

CONNECTED CAREBYOD with BYOApps


THANK YOU - RESOURCES

Blog: HIPAA-compliant mobile apps

bit.ly/2zZpoQz

Blog: Mitigating MITM risks in mHealth apps

bit.ly/2jfiaxo


THANK YOU!