mobile apps & connected healthcare: managing 3rd-party mobile app risk

21
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Mobile Apps & Connected Health Care: Managing 3rd-Party Mobile App Risk Andrew Hoog | Founder | NowSecure NH-ISAC 2017 Third Party Risk Summit November 2017

Upload: nowsecure

Post on 23-Jan-2018

78 views

Category:

Healthcare


0 download

TRANSCRIPT

Page 1: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

Mobile Apps & Connected Health Care:Managing 3rd-Party Mobile App Risk

Andrew Hoog | Founder | NowSecureNH-ISAC 2017 Third Party Risk Summit

November 2017

Page 2: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

▪Andrew Hoog, NowSecure Founder • NowSecure Founder & Board Member• Literally wrote the books on mobile forensics & security• 2 patents for data recovery/forensics• Expert witness• Brief gov’t agencies & top banks on mobile security topics

WHO AM I?

Proud sponsor/supporter of:

Page 3: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

TWO VECTORS OF MOBILE APP RISK

CONNECTED CAREBYOD with BYOApps

Page 4: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

THE STATE OF BYO IN HEALTH CARE

71% of hospitalsallow BYOD

63% of physiciansuse personal

devices for work(even if BYOD is prohibited)

41% of nursesuse personal

devices for work(even if BYOD is prohibited)

Source: Spoke’s Fifth Annual Mobility Strategies in Healthcare Survey: Results Revealed

Page 5: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

AT THE TOP 25 LARGEST US HOSPITALS

Sources:;“Average number of apps installed by users in the United States in 2016, by device” Statista

24,823 Employees (devices) avg

89 Apps per device avg

2,200,000 Points of risk

Page 6: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

NIST/NCCOE SECURING EHRON MOBILE DEVICES & APPS

“Health care providers increasingly use mobile devices to receive, store, process, and transmit patient clinical information. According to our own risk analysis, discussed here, and in the experience of many health care providers, mobile devices can present vulnerabilities in a health care organization’s networks.”

NIST Cybersecurity Practice Guide SP 1800-1b

Page 7: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

TYPES OF APPS IN CLINICAL ENVIRONMENTS

▪ Medical device control/monitoring▪ Clinical care - scheduling, EMR management▪ Medical Imaging - for viewing MRI, X-ray, etc.▪ Secure/compliant communications - voice, text, alerting▪ Reference - calculators, prescription/diagnostic information▪ Education - continuing medical education (CME), study materials▪ Consumer health - disease management, trackers, etc.▪ Other 3rd-party apps - games, social networking, etc.

Page 8: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

WHAT IS THE MOBILE APP ATTACK SURFACE?

8

API BACKEND▪Platform vulnerabilities▪Server misconfiguration▪Cross-site scripting▪Cross-site request forgery ▪Cross origin resource sharing▪Brute force attacks▪Side channel attacks

▪SQL injection▪Privilege escalation▪Data dumping▪OS command execution▪Weak input validation▪Hypervisor attack▪VPN

DATA AT REST

▪Data caching▪Data stored in application directory

▪Decryption of keychain▪Data stored in log files▪Data cached in memory/RAM▪Data stored in SD card

▪OS data caching▪Passwords & data accessible▪No/Weak encryption▪TEE/Secure Enclave Processor▪Side channel leak▪SQLite database▪Emulator variance

DATA IN MOTION

▪Wi-Fi (no/weak encryption)▪Rogue access point▪Packet sniffing▪Man-in-the-middle▪Session hijacking▪DNS poisoning▪TLS Downgrade▪Fake TLS certificate▪Improper TLS validation

▪HTTP Proxies▪VPNs▪Weak/No Local authentication▪App transport security▪Transmitted to insecure server▪ Zip files in transit▪Cookie “httpOnly” flag▪Cookie “secure” flag

▪GPS spoofing▪Buffer overflow▪allowBackup Flag▪allowDebug Flag▪Code Obfuscation▪Configuration manipulation▪Escalated privileges

▪URL schemes▪GPS spoofing▪Integrity/tampering/repacking▪Side channel attacks▪App signing key unprotected▪JSON-RPC▪Automatic Reference Counting

CODE FUNCTIONALITY

▪Android rooting/iOS jailbreak▪User-initiated code▪Confused deputy attack▪Multimedia/file format parsers▪Insecure 3rd party libraries▪World Writable Files▪World Writable Executables

▪Dynamic runtime injection▪Unintended permissions▪UI overlay/pin stealing▪Intent hijacking▪Zip directory traversal▪Clipboard data▪World Readable Files

Page 9: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

HOW SECURE ARE MOBILE APPS IN GENERAL?

more likely to leak account credentials

Business apps:

3X 60% oforgs

report an insecuremobile app contributingto a breach

50% ofAndroid apps

dynamically load code missed by static analysis

1% ofAndroid apps

use Google SafetyNet Attestation API properly

35%transmit dataun-encrypted

of apps25%

have at least 1high risk flaw

of apps

Source: NowSecure Software and Research Data 2016-2017, Ponemon Institute 2017 Study on Mobile & IoT App Security

Page 10: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

WHO IS RESPONSIBLE FOR 3rd PARTY APP RISK?

10

• Evaluate mobile technology • Establish mobile security and

architecture requirements• Test for vulnerabilities and ensure

security, privacy, compliance

SECURITY & ARCHITECTURE• Centrally coordinate & enable business

mobilization • Support BYOD, COPE & Enterprise

managed devices & apps• Easy, quick vetting of 3rd party mobile

apps to ensure meet policy and governance requirements

MOBILE CENTER OF EXCELLENCE• Establish risk-based guidelines for

mobile app security, compliance and privacy

• Ensure governance and controls in place for all mobile apps

• Track and report on industry compliance and privacy mandates

COMPLIANCE & RISK

Page 11: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

3RD-PARTY MOBILE APP RISK IN HEALTH CARE

Page 12: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

STATE OF MOBILE APP SECURITY IN HEALTH CARE

▪ Good news:Many developers do the right thing

▪ Bad news:Too many risks still persist

▪ Our Industry Assessment:• Leveraged advanced mobile app vetting technology

to identify security, compliance, and privacy gaps in Android and iOS apps using industry standard CVSS scores

• A number of apps had no severe risks• Numerous apps had significant security risks

Page 13: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

iOS: CLINICAL COMMUNICATIONS APPS

Page 14: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

iOS: UK MEDICAL REFERENCE APP

Page 15: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

ANDROID: INSERTABLE CARDIAC MONITOR(ICM) APP

Page 16: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

iOS: ELECTROCARDIOGRAM APP

Page 17: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

ANDROID: PATIENT EMR APP

Page 18: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

PATH TO MITIGATING 3RD-PARTY APP RISK

● Use 3rd-Party mobile app vetting for existing approved apps already deployed to scope current risk profile

● Identify appropriate mobile app remediations, reconfigurations or removals for existing 3rd-Party apps

● Adjust policiesas needed

● Leverage MDM to fully inventory all mobile apps across enterprise mobile devices

● Use 3rd-Party mobile app vetting across all apps from MDM inventory to scope full risk profile

● Identify & take appropriate remediations & actions

● Continuously monitor all approved 3rd-Party apps for risky updates

● Establish policy & process to take new 3rd-Party mobile app requests and vet app requests before deployment

● Integrate 3rd-Party mobile app vetting into EMM automation, black/whitelisting

1 2 3

Page 19: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

NEED TO ADDRESS BOTH VECTORS OFMOBILE APP RISK

CONNECTED CAREBYOD with BYOApps

Page 20: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

THANK YOU - RESOURCES

Blog: HIPAA-compliant mobile apps

bit.ly/2zZpoQz

Blog: Mitigating MITM risks in mHealth apps

bit.ly/2jfiaxo

Page 21: Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

THANK YOU!