Cyber-attacks represent a real threat to unprotected healthcare mobile apps. The overall operational integrity of these apps is at risk, but there’s also a significant risk of malicious attacks on the medical devices themselves, personal health information, and intellectual property.
We spoke to Rusty Carter, VP of product management at Arxan to find out more about the risks and how they can be addressed.
BN: Are attacks against medical devices increasing?
RC: Most of those devices are connecting through mobiles, so your phone and now more often your watch, as technologies have advanced. Mobile attacks are really the way to get into those those devices. And attackers have been targeting the infrastructure for years. But within the medical device, space, what we’re also seeing is attacks against the APIs.
Medical device providers have lots of services built around intelligence both from a clinical trial and research point of view as well as in analyzing data and providing the right information, the integrity or the legitimacy of the data is really critical, and so there’s a lot more sensitivity around.
BN: Is this just about stealing data for monetary gain?
RC: Because of the research aspects and the data science, the ability to enact harm through sending falsified data is a major concern. So, if I were to to quantify lots of data impersonating various users and saying that their blood glucose was at a certain level, it would both skew the research efforts and could potentially result in incorrect analysis by the providers.
As far as the retrieval from the API and from the back end services, the legitimacy of the application is critical. In attacks against data service hackers, especially when getting into back infrastructure in these large breaches that we’re seeing, are spending a considerable amount of time probing he edge of the network, looking for vulnerabilities, testing out their APIs to see are they authenticated, can I impersonate someone? There’s a lot of reconnaissance that goes into these attacks that result in data breaches and exposure of consumer or patient information.
BN: How can companies improve their defenses?
RC: One way to stop attacks is to not allow the APIs to provide data unless you can validate the authenticity of the application that’s requested it. This is a very new way of looking at protecting data and document infrastructure and that’s kind of how we’re looking at it. Because if the infrastructure only is responding to applications that have integrity that are legitimate, that are being operated by a real user and not a bot or an attack tool, you can eliminate the majority of attacker reconnaissance as well as preventing them compromising systems.
BN: Is this part if a wider Internet of Things problem?
RC: I believe it is, and it’s even maybe a bit broader, the technology industry as a whole is growing in a number of different ways and different segments are expanding and they seem to be multiplying the problem.
The race towards towards CI/CD and fast deployments that’s exacerbating or accelerating the move towards micro services. Services that rely on token authentication, in some cases, or extending monolithic tokens down to a device, that could be used against all of these other micro services. The explosion and volume of APIs combined with this rapid delivery is also adding to that success, that’s resulting in the of growth of attacks.
Because the attackers can monetize the data you know we’re well into the maturity of that enterprise. The technology is actually making the problem worse in some cases without security to reduce that risk.
BN: Is that partly because the apps to access these devices are available, for example through the Play store, and can be easily reverse engineered?
RC: Yes access is certainly a large component of it. The first step in reconnaissance is to identify the target. You can download the application and you can reverse engineer it or edit minimally and see the APIs the application is taken to, then you can go in and start inspecting those APIs as well as the application looking for resident keys or interesting data that you would want to get and progress the attack. It starts, in many cases, just because the ecosystem allows distribution of software. Which is definitely not saying that that’s a negative thing it’s certainly a positive thing, but it does increase the attack surface that’s being exploited.
This can also happen from a hardware standpoint, a jailbroken device or even emulators without protection of the applications because they were built for function without security. Their primary purpose is to send and receive data to some cloud service. That data is ultimately valuable to an attacker, and so it’s just a matter of where do you compromise the system?
The application is really everything between the users fingertips, and back end database. So, the application is inclusive of the server, is inclusive of the API, is inclusive of that data transmitted across the network, all the way down to the device and into the users’ application. If you think about that as the continuum the attacker’s job is just to find where is the soft spot to probe and then to compromise or attack.
BN: How can businesses and developers start to address these risks?
RC: There are several approaches and all of them I think are complimentary, and ultimately you won’t have security without some or all of these categories from the source code of the applications, both in the server and at the end point, source code analysis and vulnerability static analysis testing.
Coding practices is definitely a place where many people start, or conversely the other end of the spectrum which is within the application server. A lot of it comes down to detection of the attack as early as possible. Static and dynamic analysis, those things all help reduce the risk.
But ultimately you don’t know whether or not an application is being attacked because it’s not instrumented. So the instrumentation and flowing that visibility back into an operations or intelligence system in order to identify attacks or compromises early helps mitigate loss.
And then there’s the authenticity of the entire system, connecting all of those dots together, which is the next phase of where security will go. We’ve had the source code analysis for a long time and the network detection pieces. Application protection is growing in popular awareness and so as that starts to become a thing, attackers are looking for the boundaries between those protections. And that’s where connecting the infrastructure to the application is the next horizon of security for data for medical devices.
The other thing is that the hardware is static but the software is frequently updated and changes in its behavior can be compromised.