Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

Embed Size (px)

Text of Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    Mobile Apps & Connected Health Care:Managing 3rd-Party Mobile App Risk

    Andrew Hoog | Founder | NowSecureNH-ISAC 2017 Third Party Risk Summit

    November 2017

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    Andrew Hoog, NowSecure Founder NowSecure Founder & Board Member Literally wrote the books on mobile forensics & security 2 patents for data recovery/forensics Expert witness Brief govt agencies & top banks on mobile security topics

    WHO AM I?

    Proud sponsor/supporter of:

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    TWO VECTORS OF MOBILE APP RISK

    CONNECTED CAREBYOD with BYOApps

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    THE STATE OF BYO IN HEALTH CARE

    71% of hospitalsallow BYOD

    63% of physiciansuse personal

    devices for work(even if BYOD is prohibited)

    41% of nursesuse personal

    devices for work(even if BYOD is prohibited)

    Source: Spokes Fifth Annual Mobility Strategies in Healthcare Survey: Results Revealed

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    AT THE TOP 25 LARGEST US HOSPITALS

    Sources:;Average number of apps installed by users in the United States in 2016, by device Statista

    24,823 Employees (devices) avg

    89 Apps per device avg

    2,200,000 Points of risk

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    NIST/NCCOE SECURING EHRON MOBILE DEVICES & APPS

    Health care providers increasingly use mobile devices to receive, store, process, and transmit patient clinical information. According to our own risk analysis, discussed here, and in the experience of many health care providers, mobile devices can present vulnerabilities in a health care organizations networks.

    NIST Cybersecurity Practice Guide SP 1800-1b

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    TYPES OF APPS IN CLINICAL ENVIRONMENTS

    Medical device control/monitoring Clinical care - scheduling, EMR management Medical Imaging - for viewing MRI, X-ray, etc. Secure/compliant communications - voice, text, alerting Reference - calculators, prescription/diagnostic information Education - continuing medical education (CME), study materials Consumer health - disease management, trackers, etc. Other 3rd-party apps - games, social networking, etc.

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    WHAT IS THE MOBILE APP ATTACK SURFACE?

    8

    API BACKENDPlatform vulnerabilitiesServer misconfigurationCross-site scriptingCross-site request forgery Cross origin resource sharingBrute force attacksSide channel attacks

    SQL injectionPrivilege escalationData dumpingOS command executionWeak input validationHypervisor attackVPN

    DATA AT REST

    Data cachingData stored in application directory

    Decryption of keychainData stored in log filesData cached in memory/RAMData stored in SD card

    OS data cachingPasswords & data accessibleNo/Weak encryptionTEE/Secure Enclave ProcessorSide channel leakSQLite databaseEmulator variance

    DATA IN MOTION

    Wi-Fi (no/weak encryption)Rogue access pointPacket sniffingMan-in-the-middleSession hijackingDNS poisoningTLS DowngradeFake TLS certificateImproper TLS validation

    HTTP ProxiesVPNsWeak/No Local authenticationApp transport securityTransmitted to insecure server Zip files in transitCookie httpOnly flagCookie secure flag

    GPS spoofingBuffer overflowallowBackup FlagallowDebug FlagCode ObfuscationConfiguration manipulationEscalated privileges

    URL schemesGPS spoofingIntegrity/tampering/repackingSide channel attacksApp signing key unprotectedJSON-RPCAutomatic Reference Counting

    CODE FUNCTIONALITY

    Android rooting/iOS jailbreakUser-initiated codeConfused deputy attackMultimedia/file format parsersInsecure 3rd party librariesWorld Writable FilesWorld Writable Executables

    Dynamic runtime injectionUnintended permissionsUI overlay/pin stealingIntent hijackingZip directory traversalClipboard dataWorld Readable Files

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    HOW SECURE ARE MOBILE APPS IN GENERAL?

    more likely to leak account credentials

    Business apps:

    3X 60% oforgsreport an insecuremobile app contributingto a breach

    50% ofAndroid appsdynamically load code missed by static analysis

    1% ofAndroid appsuse Google SafetyNet Attestation API properly

    35%transmit dataun-encrypted

    of apps25%

    have at least 1high risk flaw

    of apps

    Source: NowSecure Software and Research Data 2016-2017, Ponemon Institute 2017 Study on Mobile & IoT App Security

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    WHO IS RESPONSIBLE FOR 3rd PARTY APP RISK?

    10

    Evaluate mobile technology Establish mobile security and

    architecture requirements Test for vulnerabilities and ensure

    security, privacy, compliance

    SECURITY & ARCHITECTURE Centrally coordinate & enable business

    mobilization Support BYOD, COPE & Enterprise

    managed devices & apps Easy, quick vetting of 3rd party mobile

    apps to ensure meet policy and governance requirements

    MOBILE CENTER OF EXCELLENCE Establish risk-based guidelines for

    mobile app security, compliance and privacy

    Ensure governance and controls in place for all mobile apps

    Track and report on industry compliance and privacy mandates

    COMPLIANCE & RISK

  • 3RD-PARTY MOBILE APP RISK IN HEALTH CARE

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    STATE OF MOBILE APP SECURITY IN HEALTH CARE

    Good news:Many developers do the right thing

    Bad news:Too many risks still persist

    Our Industry Assessment: Leveraged advanced mobile app vetting technology

    to identify security, compliance, and privacy gaps in Android and iOS apps using industry standard CVSS scores

    A number of apps had no severe risks Numerous apps had significant security risks

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    iOS: CLINICAL COMMUNICATIONS APPS

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    iOS: UK MEDICAL REFERENCE APP

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    ANDROID: INSERTABLE CARDIAC MONITOR(ICM) APP

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    iOS: ELECTROCARDIOGRAM APP

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    ANDROID: PATIENT EMR APP

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    PATH TO MITIGATING 3RD-PARTY APP RISK

    Use 3rd-Party mobile app vetting for existing approved apps already deployed to scope current risk profile

    Identify appropriate mobile app remediations, reconfigurations or removals for existing 3rd-Party apps

    Adjust policiesas needed

    Leverage MDM to fully inventory all mobile apps across enterprise mobile devices

    Use 3rd-Party mobile app vetting across all apps from MDM inventory to scope full risk profile

    Identify & take appropriate remediations & actions

    Continuously monitor all approved 3rd-Party apps for risky updates

    Establish policy & process to take new 3rd-Party mobile app requests and vet app requests before deployment

    Integrate 3rd-Party mobile app vetting into EMM automation, black/whitelisting

    1 2 3

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    NEED TO ADDRESS BOTH VECTORS OFMOBILE APP RISK

    CONNECTED CAREBYOD with BYOApps

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    THANK YOU - RESOURCES

    Blog: HIPAA-compliant mobile apps

    bit.ly/2zZpoQz

    Blog: Mitigating MITM risks in mHealth apps

    bit.ly/2jfiaxo

  • Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

    THANK YOU!