DTx (Digital Therapeutics) is entering the healthcare mainstream. Movement from traditional prescription medication to specialized mobile apps combining behavioral and lifestyle changes with a drug to treat illnesses such as substance abuse, dementia, diabetes, and the management of some chronic diseases. Patients can now access and share their health records and details of historical prescriptions via DTx apps, which were primarily paper-based only a few years ago. The risk of cyberattacks in digital therapeutics apps increases as more interfaces become available, and the quantity and detail of health data available are on the rise. Sensitive data in the wrong hands could have far-reaching and devastating implications. In this blog, I will cover the top 5 cyberattacks in digital therapeutics apps and how to solve them.
Digital therapeutics (DTx), defined by the EDPS as “evidence-based therapeutic interventions driven by high-quality software programs to prevent, manage, or treat a medical disorder or disease.”
DTx delivers therapies using mobile apps on smartphones and tablets running on iOS and Android systems. They increase patient access to effective treatments offering at-home convenience and privacy, providing meaningful results and insights.
The DTx market is young and rapidly growing. With healthcare undergoing a digital transformation, the possibilities for DTx are endless.
Take BlueStar by Welldoc as an example; they developed a DTx product for 18 years and older who have Type 1 or Type 2 diabetes. It provides tailored guidance driven by artificial intelligence. It collects and analyzes health data to provide precision, real-time feedback, and intelligent coaching driven by more than blood glucose.
DTx is considered one of the most innovative areas within digital health and has experienced accelerated progress over the past two years.
In her recent article, Heather Landi from the FIERCE Healthcare reported:
“In 2021, digital health companies catalyzing R&D in biopharma and MedTech brought in record investment with $5.8 billion in funding, stimulated by the COVID-accelerated adoption of real-world evidence and decentralized trials. Investments in digital products supporting disease treatment grew 2.6x between 2020 and 2021 as coverage pathways for prescription digital therapeutics widened, Rock Health reported.”
The Challenge and the Risk of Going Digital
The transition to digital health is inevitable. More and more patients would prefer and be more comfortable using digital services for complex and sensitive medical conditions. As a result, the immediate threat of cyberattacks in digital therapeutics apps is growing. Given that the health field is critical infrastructure, patient information, including images, scans and medical reports available online will be a goldmine that hackers can exploit for various malicious purposes.
In December 2021, ScienceDirect reported in the Advances journal that numerous attacks have led to an interruption of radiation therapy for thousands of patients in the last ten years.
The healthcare sector has been the main target of online attacks. These threats disrupt daily work and compromise confidential patient data. Ransomware, in particular, is the most common attack in digital therapeutics apps, apart from various types of malware and trojans attacks, which can lock up EHR (Electronic Health Record) records and open only after a ransom payment is received.
In the Journal of the American Medical Informatics Association, 2021, researchers reported:
“Upon inspecting the code and files of mHealth apps using VirusTotal, we found 378 apps (1.8% of apps) being labeled as suspicious by at least 1 antivirus tool. VirusTotal reports malicious activity for 257 (2.0%) Health & Fitness apps and 121 (1.5%) Medical apps.”
“Our analysis discovered 3 samples of the FakeApp trojan family. FakeApp trojans often masquerade as part of a legitimate app—in many cases, an antivirus app or an updater. They then try to gain revenues by displaying intrusive ads or redirecting users to installing third-party apps. Several variants of this trojan have been reported to perform malicious activities, such as harvesting user credentials and personal data”
Digital Therapeutics Cybersecurity Checklist- Top 5 Attacks in Digital Therapeutics Apps
Here are the top 5 cyber-attacks threatening digital therapeutics apps and how to solve them.
-
Tampering with Patient Data in DTx Apps
Actors can hit DTx apps with numerous cyber-attacks leading to significant data breaches and interruptions in medical services.
Attackers can inject false medical conditions and fool the expert doctors, causing severe harm to patients. Hackers use static and dynamic code analysis, instrumentation, and other tools to learn how your app functions, invoke functions and call data from the app or the back end using the app.
Recommendation:
To prevent these attacks, DTx app developers and security professionals should consider implementing memory injection prevention, dynamic hacking tools prevention, camera rolls encryption, men-in-the-middle prevention , app shielding (to prevent tampering), and other measures to ensure the integrity of the DTx app.
-
Trojan Attacks in Digital Therapeutics (DTx) Apps
Once activated on DTx apps, trojans allow attackers to steal sensitive data or gain backdoor system access. Through various techniques, hackers can pirate the DTx app by making minor changes to create the appearance of authenticity, making it look like the real thing. Attackers can use trojans to harvest personal data, perform unwanted browser redirects, advertisements, and even malicious access to credentials. Trojans rely on unencrypted communication to send personal data (e.g., diagnostics, medical information, drug prescriptions, etc.) to unsecured traffic.
Recommendation:
To prevent Trojan attacks in DTx apps, developers and security professionals should implement strong app hardening solutions and code obfuscation to prevent reverse engineering of the app. It is also recommended to prevent the app from running on emulators, and prevent keylogging and app overly. Enforce secure communication protocols such as encrypt data-in-transit with SSL/TLS and strong Man-in-the-Middle defenses to encrypt the data, validate the hostname, ensure the certificate matches the server’s hostname, and ensure a valid root authority trusts the certificate.
-
Data Theft & Data Harvesting Due to Insecure Storage and Insufficient Encryption
Criminals seek to take advantage of mobile apps vulnerabilities. Ransomware operators continue to evolve their techniques and weapons to force payments. It is essential to follow best practices to prevent ransomware attacks in DTx apps and ensure patient safety.
Recommendation:
The best thing you can do to prepare for such an attack is to encrypt all patient diagnostics and medical records stored locally on the mobile device with keys available only to the app. In addition, to avoid malicious attempts to read the app’s content or harvest valuable data about the patient, it is also essential to encrypt strings, in-app preferences, camera rolls, and clipboards of a DTx app.
-
Malware Attacks in Digital Therapeutics (DTx) Apps
Malware programs can invade either Android or iOS phones easily. Hackers often build the malware to take the easiest path to exploit data stored in the application sandbox or SD card, keywords, and other sensitive data – namely, by jailbreaking or rooting the device to gain superuser or elevated privileges. An attacker has much more control over the underlying operating system on a jailbroken or rooted device, which allows him to launch a much more effective attack against the DTx app.
Recommendation:
To prevent this class of attack, DTx app developers and security professionals should prevent the DTx app from running on jailbroken or rooted devices, including blocking advanced rooting and root hiding tools like Magisk.
-
Data leak and exploit in Digital Therapeutics (DTx) Apps
DTx apps are potentially exposing patients’ data such as medications, x-rays, diagnostics, etc., and might be compromising DTx patients. The access login is the most straightforward breach that hackers would after looking for patient health records. To ensure secured and trusted login to DTx apps, developers and security professionals should guard against unauthorized access. Perhaps the easiest way to do this would be to ensure that only the authorized patient can access their records via the DTx app.
Recommendation:
Combine proper authentication and strong mobile malware defenses that prevent app overlay attacks, prevent keylogging, and data loss prevention measures such as preventing copy-paste functions and cameral rolls from the app and encrypting the app clipboard.
I brought this information to you with care and consideration for the health & wellness patients worldwide who use digital therapeutics apps and rely on their authenticity and safety.
I’d be happy to discuss these recommendations with you or design a perfect security solution for your DTx app.
