It’s estimated that by 2024, 440 million wearables will be shipped to consumers. These wearables include intelligent devices with sensors that enable the collection, analysis, and transmission of personal health data in real-time. With a shortage of physicians projected, rising healthcare costs, and increasing patients with chronic diseases, utilizing wearables to monitor and treat patients more efficiently and effectively has never been more urgent. And the wearable app is the most at risk, not the wearable device itself. This blog will cover the top 4 ways to secure wearables with health and wellness mobile apps.
With the increase in use of wearables comes increased risk of health data breaches. Healthcare data breaches have steadily grown as seen below, often because hackers gain access to the data through malware attacks on the mobile.
Number of data leaks from medical organizations, 2009–2020. Source: HIPAA Journal
A vulnerability scan of a mobile healthcare app connected to a wearable device revealed an alarmingly high number of security risks. Out of OWASP’s top 10 risks, there were seven major security risks, and 23 majors were found in communication, leaving sensitive patient data vulnerable to attacks.
Health & Wellness Cybersecurity Checklist – Top 4 Ways to Secure Wearable Health Apps
Here are the top 4 ways to secure the data in wearables apps.
-
Comply with patient privacy laws and encrypt data-at-rest and data-in-transit.
Wearable apps contain a lot of information about users, including full names, body measurements, health statistics, locations, etc. This data could easily be exploited by attackers and be used for malicious purposes. It’s recommended wearable app developers use encryption to protect sensitive API data such as keys, secrets, URLs, tokens, payloads, etc. Encryption ensures that the data is secure even in case of a malicious attacker intercepts the data.
-
Make wearable health apps resistant to malware.
Many of us have downloaded fitness trackers and other seemingly helpful apps. But these apps turn into malicious apps as hackers use them to gradually ask for more and more permissions over time. Since hackers can gain access to data in the wearable app through malware, it’s important to ensure the integrity and authenticity of the operating system through malware protection. Malicious attackers often target and exploit known security risks discovered on OSs, libraries, and developers’ frameworks. The primary way for hackers to build malware to harvest sensitive data stored in the app is by jailbreaking or rooting the device. An attacker has much more control over the underlying operating system on a jailbroken or rooted device, which allows him to launch a much more effective attack against the wearable apps. It’s recommended wearable developers prevent the wearable app from running on jailbroken or rooted devices, including blocking advanced rooting and root hiding tools like Magisk.
-
Make sure the wearable app has basic Data Loss Prevention in place.
When interviewed at the Baylor College of Medicine, Dr. Bijan Najafi, professor of surgery and director of clinical research, said: “The last five years have seen an increase in digital wellness wearables that can collect data in real-time and reveal the physical and chemical properties of the body to evaluate wellness.” But that ability to collect more data also means more sensitive data is at risk of being leaked. Users might copy sensitive data out of an app and paste it into another app such as email or a browser via the device clipboard. In other cases, users might take a screen shot of what is displaying on an app for later reference. Unfortunately, this can put sensitive data at risk especially if photos are automatically backed up. As a result, it’s recommended wearable app developers have copy/paste prevention in place, prevent screen recordings, and prevent Application Screen Sharing (to stop data loss via screen capture software).
-
Secure communication between the wearable app and device.
Because wearables depend on communication with the mobile app and service, that communication is a prime target for hackers. It is crucial to ensure that only certified, and authenticated entities can access the data. All communication to wearable apps should use secure channels where the authority is trusted. Otherwise, a malicious attacker can intercept, read, and even tamper with data sent over insecure channels, leading to life-threatening events. As a result it’s recommended to enforce secure communication protocols such as encrypt data-in-transit with SSL/TLS and strong Man-in-the-Middle defenses to encrypt the data, validate the hostname, ensure the certificate matches the server’s hostname, and ensure a valid root authority trusts the certificate. It’s also recommended to use certificate pinning to ensure communication is with the server expected.
I am a big user of smartwatches. I use it for fitness and body measurements during activity and sleep. I would love to know that my personal data transferred and stored in the app is safe and secured.
I’d be happy to discuss these recommendations with you or design a perfect security solution for your wearable app.
