According to Alissa Knight, a former hacker, personal health information (PHI) is the most highly valued data on the dark web. She states that the value of a single PHI record is 10 times more the price of a credit card number. Knight partnered with Approov, a mobile security company, to test mobile health apps by hacking them through their application program interfaces (APIs). They tested 30 apps this way to identify threats to said apps and the PHI they contain. Their findings were then published in a report, “All That We Let In.”
Knight and Approov discovered that all 30 of the apps they tested were vulnerable to API attacks. Some even allowed them to access electronic health records such as x-rays, pathology reports, prescriptions, mental health services, etc. Upwards of 20 million mobile heath users are exposed to potential attacks by these tested apps alone. The vast majority of the tested apps had hardcoded API keys. As Approov CEO, David Stewart explains it, APIs are channels of communication between an app and a server or hospital infrastructure. Essentially, they are the keys to a deeper wealth of information. If these API keys are hardcoded into the mobile app, hackers can dig through the programming and find the API keys, thus gaining access to PHI and more. The report by Approov also states that a small percentage of the tested apps had hardcoded usernames and passwords.
Knight hacked a hospital system as part of the test and was able to access health records and additional registration information for a patient’s family members by simply changing the EHR value by one digit. She used a tool that made it appear as though the access was coming from a mobile health app. She sates that, “The traffic looks exactly the same as traffic that’s coming from the actual mobile app, and that gives the hackers so much more flexibility about the things that they can do.” It was also discovered that these apps are susceptible to various other attacks including Broken Object Level Authorization attacks.
API attacks continue to rise in frequency and are on their way to being the most frequently used attack against mobile applications. The current global heath crisis due to COVID-19 has increased the use of mobile health applications and virtual healthcare which is why Alissa Knight and Approov decided to join for this study. Though the names of the applications tested are being kept anonymous, Stewart acknowledges that apps from large healthcare systems and mobile health vendors were among those tested and found to have vulnerabilities. These vulnerabilities put large amounts of PHI at risk which is why it is critical for APIs to be secured.
How to Protect Against API Attacks
Tools such as APIsec are recommended. These tools perform security testing to find vulnerabilities in APIs. Secure mobile and web applications begin with building secure APIs. The controls for these apps should be monitored and adjusted to comply with the Health Insurance Portability and Accountability Act (HIPAA). Additionally, Knight states that security should be implemented from the very beginning when developing and coding new apps because healthcare needs to keep up with the technological advances of the time despite the security threats posed against mobile apps.
Horowitz, Brian T. “Mobile Health Apps Leak Sensitive Data through APIs, Report Finds.” FierceHealthcare, Questex, 24 Feb. 2021.