As mobile apps are burgeoning in both number and complexity, tracking which ones are secure and identifying those that are not is becoming a priority for healthcare organizations.
So the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has released a draft guide to assist CIOs and enterprises, including healthcare groups, in testing mobile apps to see if they reflect the organization’s requirements, the understanding of its IT infrastructure, the choices of mobile devices and configurations, all against an organization’s acceptable levels of risk.
The guide, “Technical Considerations for Vetting 3rd Party Mobile Applications,” outlines six key recommendations. As something of a public service to readers, then, here are NIST’s tips:
1. Recognize security and privacy risks presented by mobile apps and create a strategy for mitigating them. Every new technology potentially presents unforeseen risks, and healthcare entities need plans to mitigate the known and unknown alike. Security administrators should consult with the organization’s privacy officer or legal counsel to ensure the collection and sharing of data via mobile devices conforms to all statutes.
2. Establish mobile app security and privacy training for your employees. Make certain that employees understand mobile device use policies and how mHealth apps may compromise the organization’s security and users’ privacy. Provide training programs that show how mobile devices can surreptitiously collect user data and how that information can be shared with third parties through the apps.
3. Create a mobile app vetting process to provide long-term assurance of the software throughout its lifecycle. Sounds obvious, but it’s critical to have processes in place, because every upgrade can potentially introduce fresh - perhaps even unintentional - weaknesses into an existing mobile app.
4. Establish a process for quickly gauging security-related app updates. Mobile app update notifications can be sent directly to the user’s device and downloaded from an app store or marketplace, thereby bypassing traditional IT testing, staging, approval and deployment methodologies. This model may push updates quickly, but it also introduces the risk of running unvetted code on a device with unknown security implications.
5. Inform stakeholders of the vetting processes' inherent limits, including what it does and does not actually do. As with any software assurance process, there is no guarantee that even the most thorough processes will uncover all vulnerabilities. Administrators and users should be made aware that although app security assessments generally improve the posture of an organization, the degree to which it does so may not be easily or immediately ascertained.
6. Mobile app testing results should be reviewed by a software analyst within the larger context of an organization’s mission objectives, security posture and risk tolerance. Automated testing is necessary for the process to scale and keep up with the demands of the user base, but there is no substitute for a real human manually reviewing test results, too.
Dangerous launch pads
Particular to hospitals, payers and providers, securing mobile devices is becoming paramount - and not just because of HIPAA. Cybercriminals and hackers around the globe are already using mobile apps and devices in a capacity that Armando Orozco, senior malware intelligence analyst for Malwarebytes, described to mHealth News as being “a launch pad” into networks and the increasingly valuable data residing within EHRs.
In other words, allow one mobile app or device to be compromised and the EHR, servers and other apps on the back end will be vulnerable as well.
Which is why it’s worth noting that the NIST report does not address security and unreliability of underlying mobile platforms and operating systems.
“While these are important characteristics for organizations to understand and consider in selecting mobile devices,” the NIST explained, “this document is focused on how to vet mobile apps after the choice of platform has been made.”
The NIST is seeking public comments until Sept.18.
Related articles:
Want to protect your EHR from hackers? Secure those mobile devices
Tech titans' battle turns to mHealth
How IBM and Apple expect hospitals to use their mobile first platform
