Healthcare apps that helps you measure your key physiological indicators. Sounds great, right? Free insight into your health, without having to go to the doctor. Unfortunately, this might also mean your personal information is vulnerable to getting hacked.

Researchers at Wandera have discovered a number of vulnerabilities in a mobile application called “iCare Health Monitor”. These vulnerabilities put personally identifiable information (PII) and users’ sensitive health metrics at risk. This exposed risk is a result of a lack of security in data transit and storage by the application.

Read full Threat Advisory

iCare Health Studio is a mobile internet company specializing in mobile health service. Its “iCare Health Monitor” application can measure numerous parameters such as blood pressure, respiratory rate, heart rate, oxygen, vision, hearing, lung capacity and color blindness using only your smartphone.

Between 500,000 and 1,000,000 users have already downloaded the application from either the Android or iOS app store. Everyone using the application is exposed to a malicious malware attack and having their sensitive personal and health data leaked to a third party.

How does it happen?

The iCare Health Monitor application uses HTTP protocol in order to transmit personal user information, unencrypted, over-the-air. Therefore, user credentials, including e-mail, password, sex, age, as well as personal health metrics such as heart rate, are easily accessible to third parties.

Moreover, apart from the lack of data security in transit, it seems the same amount of information is stored on the user’s device in plaintext. Insecure data storage vulnerabilities occur when development teams assume that a mobile device’s file system can’t be accessed and proceed with saving sensitive information without any kind of protection. Unfortunately, these systems are easily accessible. Specialized tools are all that is needed to view application data stored this way.

Lastly, there is a complete lack of a secure session management mechanism which drastically increases the risk of user data leakage. Because of this, an attacker may be able to view the personal data of all registered users only by knowing their email address.



Why you should be worried about leaking healthcare apps

The implications of healthcare apps leaking sensitive user information are far-reaching and detrimental. Personal health information becoming available publicly, can lead to stigma, embarrassment and discrimination – or even tweaked insurance premiums. Most societies expect healthcare to be secluded from the public eye, with privacy at the core of most health providers. The World Health Organization has observed that medical privacy is becoming an increasingly pressing global concern.

In the United States, in particular, there is a massive risk of potential economic harm resulting from personal health information breaches. There has been a drastic increase in employee concerns about employer discrimination based on health information. A Forrester research study showed that these concerns increased 16 percent between 1999 and 2005, with 52 percent of respondents in the survey expressing concern that their information might be seen by an employer and used to limit job opportunities. Reports alleging that major employers base some of their hiring decisions on the health of applicants suggest that these concerns may be justified.

The risks don’t end there. These kinds of potential data leaks and complete lack of secure storage and transmission of data calls into question the medical industry as a whole and the array of new threats that they may be completely unprepared for. Pacemakers, insulin pumps, defibrillators: all life-saving technological advancements yet do not see regular over-the-air software updates like smartphones and computers do. They tend to be completely left alone once deployed to the market, making them terrifyingly susceptible to attack.

Furthermore, short of actually tampering with the medical devices themselves, hospital networks are well known to be poorly secured. With more and more devices coming online within their walls, identity theft concerns are also on the rise. The US Department of Health and Human Services has reported that there have been over 1,700 major data breaches since 2009, each affecting 500 individuals or more. This leads us to believe the actual number of attacks that have gone unnoticed or unreported is much higher.



What can you do about it?

Back in December 2016, the US Food and Drug Administration issued a set of “nonbinding recommendations” for securing medical devices titled “Postmarket Management of Cybersecurity in Medical devices”. It details the importance of continued security throughout the life of medical devices. While this report might not inspire confidence, there are security measures that both individuals and enterprises can take to protect themselves.

iCare users and users (and users of other healthcare apps) should have an active mobile security service deployed to monitor for and block data leaks. They are also advised to enable “Device Encryption” on the Android platform so as to protect data at in storage.

Our recommendation is for businesses to have an active mobile security service deployed. MDMs are able to restrict access to certain healthcare apps but are unable to limit access to the browser (essentially a workaround). These technologies should have filtering and blocking functionality that happens at the data level to block traffic to leaky apps.

[text-blocks id=”threat-advisories”]