The Critical Need for Fully Secure Networks for Remote Data Sharing

The following is a guest article by Lucio Lanza, Managing Partner at Lanza techVentures, David Stewart, CEO at Approov.

Covid compelled healthcare providers and consumers to accelerate their digital transformation and they did, creating dramatic changes in behavior patterns.

The traditional hospital-centric medical care system morphed into a patient-centric care system. Virtual, distributed healthcare services provided digitally are proof that distance is dead. Consumers now oversee their own healthcare monitoring remotely through technology and mobile apps that help them measure their health. Mobile apps have become a mandatory requirement to interact via digital services and a good way to have access to all levels of healthcare data, firmly moving healthcare to the periphery.

The acclaim for the peripheralization and the value of remote access overlooks one glaring vulnerability: the networks for remote data sharing are just not secure.

It’s no wonder. In the rush to meet market needs during covid and beyond, security was secondary. For healthcare data, that must change, something healthcare services providers may not fully able to do.

Two 2021 reports on the state of security in the healthcare sector offer a grim assessment of the vulnerabilities that could crater the entire remote and distributed ecosystem. The first report looks at the state of security within the full range mobile healthcare apps and APIs. The second report comes after a year-long vulnerability study of Fast Healthcare Interoperability and Resources (FHIR) APIs used by Electronic Health Record (EHR) companies, healthcare services providers and healthcare data aggregators. Both reports underscore a lack of basic protections. The general conclusion of the second report is that FHIR is a solid API standard but the implementation of security on FHIR APIs needs to be strengthened to ensure the protection and confidentiality of healthcare data. In particular, man-in-the-middle attacks against the APIs that service third-party mobile apps were shown in the research to be particularly straightforward to execute.

FHIR was adopted in 2011 and driven by the U.S. Department of Health and Human Services (HHS) to facilitate better consumer control of healthcare data through the use of APIs to build an ecosystem for accessing consumer healthcare data.

Security Challenges to Remote Access

Remote access is a huge opportunity for new and existing mobile app centric players to provide data access and aggregation services that use the FHIR API specification. The mobile health apps market revenue could hit $111.1 billion by 2025, according to Zion Market Research.

The opportunity also means a huge confidentiality risk as a consumer’s personal healthcare data becomes readily accessible through remote access. Many healthcare records are highly personal, like, for example, mental health services, putting consumers in a very vulnerable position if that sensitive information is hacked and shared.

Other examples are stolen user credentials that can be used maliciously by scripts to launch credential stuffing attacks against the APIs in order to access personal data.

The damaging potential of online theft of healthcare data has a far more significant long-term effect than that of a stolen credit card number or an illegally accessed bank account. Financial institutions will typically close the breached account and replace the credit card or stolen funds. Once healthcare records are breached or stolen, personal information is in the public domain and can’t be changed or reclaimed.

While technology enabling remote access is largely available, the security challenges aren’t a high enough priority for healthcare providers against their desire to grab market share. This results in providers who do not appear to be fully aware of the risks facing consumers and consequently their own businesses. Those risks need to be properly and professionally identified and mitigated to effectively implement and access healthcare at the edge.

Software tools specifically designed for healthcare applications will help prevent hacking of mobile apps and APIs to affect the breach of medical records. One commercially available threat management tool, for instance, has a “security is dynamic, not static” approach. It targets mobile app and API deployments that traditional network security solutions can’t handle. It provides a run-time shielding solution to protect mobile apps and the channel between the mobile apps and the APIs they use from any automated attack so that only an untampered, genuine mobile app running in an uncompromised mobile environment can access the API. The end-to-end system must be fully protected because, after all, security is only as strong as the weakest link.

Regulating Security Procedures

One development worth noting comes from the Federal Trade Commission, a U.S. federal government agency. It issued a policy statement recently affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule. That ruling requires a notification to consumers when their health data is breached. Fines will result when notifications are not forthcoming in a timely fashion.

Consumers and the healthcare industry can assume regulations will be put in place to make sure entities take appropriate measures to protect consumers’ confidential information when sharing digital information. Such policy solutions are a further step to implementing a secure remote access framework.

Conclusion

Democratization of consumer access to all levels of their healthcare data through digital services has forever changed the traditional hospital-centric medical care system over the last two years. That change brought unforeseen consequences in the form of new security challenges. Threat management tools for healthcare applications exist today and will eradicate the vast majority of threats identified in the security research reports, though enhanced regulations may be needed to ensure entities take appropriate measures to protect patients’ confidential information when sharing digital information.

Note: The vulnerability report, “The New Healthcare Ecosystem will depend on FHIR APIs, But Are They Secure?,” was conducted by Alissa Knight for Approov.

About Lucio Lanza

Lucio Lanza is the Managing Director of Lanza techVentures, an early-stage venture capital and investment firm, and a recipient of the Phil Kaufman Award for Distinguished Contributions to Electronic System Design, a segment of the Semiconductor Industry. Earlier in his career, he held executive positions at Olivetti, Intel, Daisy Systems, EDA Systems and Cadence Design Systems. Dr. Lanza holds a doctorate in electronic engineering from Politecnico in Milan, Italy.

About David Stewart

David Stewart is the CEO and co-founder of Approov, a mobile app/API security vendor. He has held a wide range of technical, business and executive positions in the semiconductor, software and security markets. Mr. Stewart has a first class honors degree from the University of Strathclyde, Scotland.

   

Categories