mobile apps & connected healthcare: managing 3rd-party mobile app risk
Embed Size (px)
TRANSCRIPT
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Mobile Apps & Connected Health Care:Managing 3rd-Party Mobile App Risk
Andrew Hoog | Founder | NowSecureNH-ISAC 2017 Third Party Risk Summit
November 2017
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Andrew Hoog, NowSecure Founder NowSecure Founder & Board Member Literally wrote the books on mobile forensics & security 2 patents for data recovery/forensics Expert witness Brief govt agencies & top banks on mobile security topics
WHO AM I?
Proud sponsor/supporter of:
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TWO VECTORS OF MOBILE APP RISK
CONNECTED CAREBYOD with BYOApps
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
THE STATE OF BYO IN HEALTH CARE
71% of hospitalsallow BYOD
63% of physiciansuse personal
devices for work(even if BYOD is prohibited)
41% of nursesuse personal
devices for work(even if BYOD is prohibited)
Source: Spokes Fifth Annual Mobility Strategies in Healthcare Survey: Results Revealed
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
AT THE TOP 25 LARGEST US HOSPITALS
Sources:;Average number of apps installed by users in the United States in 2016, by device Statista
24,823 Employees (devices) avg
89 Apps per device avg
2,200,000 Points of risk
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NIST/NCCOE SECURING EHRON MOBILE DEVICES & APPS
Health care providers increasingly use mobile devices to receive, store, process, and transmit patient clinical information. According to our own risk analysis, discussed here, and in the experience of many health care providers, mobile devices can present vulnerabilities in a health care organizations networks.
NIST Cybersecurity Practice Guide SP 1800-1b
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TYPES OF APPS IN CLINICAL ENVIRONMENTS
Medical device control/monitoring Clinical care - scheduling, EMR management Medical Imaging - for viewing MRI, X-ray, etc. Secure/compliant communications - voice, text, alerting Reference - calculators, prescription/diagnostic information Education - continuing medical education (CME), study materials Consumer health - disease management, trackers, etc. Other 3rd-party apps - games, social networking, etc.
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
WHAT IS THE MOBILE APP ATTACK SURFACE?
8
API BACKENDPlatform vulnerabilitiesServer misconfigurationCross-site scriptingCross-site request forgery Cross origin resource sharingBrute force attacksSide channel attacks
SQL injectionPrivilege escalationData dumpingOS command executionWeak input validationHypervisor attackVPN
DATA AT REST
Data cachingData stored in application directory
Decryption of keychainData stored in log filesData cached in memory/RAMData stored in SD card
OS data cachingPasswords & data accessibleNo/Weak encryptionTEE/Secure Enclave ProcessorSide channel leakSQLite databaseEmulator variance
DATA IN MOTION
Wi-Fi (no/weak encryption)Rogue access pointPacket sniffingMan-in-the-middleSession hijackingDNS poisoningTLS DowngradeFake TLS certificateImproper TLS validation
HTTP ProxiesVPNsWeak/No Local authenticationApp transport securityTransmitted to insecure server Zip files in transitCookie httpOnly flagCookie secure flag
GPS spoofingBuffer overflowallowBackup FlagallowDebug FlagCode ObfuscationConfiguration manipulationEscalated privileges
URL schemesGPS spoofingIntegrity/tampering/repackingSide channel attacksApp signing key unprotectedJSON-RPCAutomatic Reference Counting
CODE FUNCTIONALITY
Android rooting/iOS jailbreakUser-initiated codeConfused deputy attackMultimedia/file format parsersInsecure 3rd party librariesWorld Writable FilesWorld Writable Executables
Dynamic runtime injectionUnintended permissionsUI overlay/pin stealingIntent hijackingZip directory traversalClipboard dataWorld Readable Files
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
HOW SECURE ARE MOBILE APPS IN GENERAL?
more likely to leak account credentials
Business apps:
3X 60% oforgsreport an insecuremobile app contributingto a breach
50% ofAndroid appsdynamically load code missed by static analysis
1% ofAndroid appsuse Google SafetyNet Attestation API properly
35%transmit dataun-encrypted
of apps25%
have at least 1high risk flaw
of apps
Source: NowSecure Software and Research Data 2016-2017, Ponemon Institute 2017 Study on Mobile & IoT App Security
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
WHO IS RESPONSIBLE FOR 3rd PARTY APP RISK?
10
Evaluate mobile technology Establish mobile security and
architecture requirements Test for vulnerabilities and ensure
security, privacy, compliance
SECURITY & ARCHITECTURE Centrally coordinate & enable business
mobilization Support BYOD, COPE & Enterprise
managed devices & apps Easy, quick vetting of 3rd party mobile
apps to ensure meet policy and governance requirements
MOBILE CENTER OF EXCELLENCE Establish risk-based guidelines for
mobile app security, compliance and privacy
Ensure governance and controls in place for all mobile apps
Track and report on industry compliance and privacy mandates
COMPLIANCE & RISK
-
3RD-PARTY MOBILE APP RISK IN HEALTH CARE
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
STATE OF MOBILE APP SECURITY IN HEALTH CARE
Good news:Many developers do the right thing
Bad news:Too many risks still persist
Our Industry Assessment: Leveraged advanced mobile app vetting technology
to identify security, compliance, and privacy gaps in Android and iOS apps using industry standard CVSS scores
A number of apps had no severe risks Numerous apps had significant security risks
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
iOS: CLINICAL COMMUNICATIONS APPS
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
iOS: UK MEDICAL REFERENCE APP
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ANDROID: INSERTABLE CARDIAC MONITOR(ICM) APP
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
iOS: ELECTROCARDIOGRAM APP
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ANDROID: PATIENT EMR APP
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
PATH TO MITIGATING 3RD-PARTY APP RISK
Use 3rd-Party mobile app vetting for existing approved apps already deployed to scope current risk profile
Identify appropriate mobile app remediations, reconfigurations or removals for existing 3rd-Party apps
Adjust policiesas needed
Leverage MDM to fully inventory all mobile apps across enterprise mobile devices
Use 3rd-Party mobile app vetting across all apps from MDM inventory to scope full risk profile
Identify & take appropriate remediations & actions
Continuously monitor all approved 3rd-Party apps for risky updates
Establish policy & process to take new 3rd-Party mobile app requests and vet app requests before deployment
Integrate 3rd-Party mobile app vetting into EMM automation, black/whitelisting
1 2 3
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NEED TO ADDRESS BOTH VECTORS OFMOBILE APP RISK
CONNECTED CAREBYOD with BYOApps
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
THANK YOU - RESOURCES
Blog: HIPAA-compliant mobile apps
bit.ly/2zZpoQz
Blog: Mitigating MITM risks in mHealth apps
bit.ly/2jfiaxo
-
Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
THANK YOU!