Cybersecurity risks of digital health applications

Digital health cybersecurity risks

SHARE

Share on facebook
Share on twitter
Share on linkedin

The healthcare industry has put an enormous effort into creating new medical devices, health systems and apps to improve treatment and patient care. With the pervasiveness of mobile phones, digital health applications have been growing in popularity in recent years, offering convenient ways for individuals to track their health and wellness.

While they provide many benefits, they also introduce various emerging cybersecurity risks that users must be aware of.

According to IBM’s Data Breach Report 2023, the cost of data breaches in the heavily regulated healthcare sector has surged by 53.3% since 2020. For the 13th consecutive year, the healthcare industry has experienced the highest data breach costs, averaging USD 10.93 million.

In this article, we explore the cybersecurity risks associated with digital health apps and how to mitigate them.

Understanding digital healthcare applications

Digital healthcare applications are software programs, usually in the form of mobile or web applications, that help individuals monitor and manage their health and wellness. Some examples include fitness trackers, medication reminders, and telemedicine apps.

Such apps are designed to monitor and improve an individual’s health and wellness. They involve collecting and analyzing personal health information and providing feedback to the user. Most digital health applications use wearable devices or other smart devices to capture data such as heart rate, blood pressure, or steps taken.

Types of digital healthcare tools

Under the umbrella term of digital health apps, we can include wellness apps, fitness apps, period trackers, mental health apps, and medical apps or medical devices.

Let’s quickly distinguish between health apps and medical apps, as they are usually subject to different cybersecurity requirements.

Digital health apps are designed to support the health and wellness of individuals or communities by processing health-related data. These applications are versatile, catering to health-conscious users aiming to maintain, improve, or manage their health through activities such as fitness tracking, nutritional guidance, and mental health support.

On the other hand, medical apps fall under the broader category of health apps but are specifically tailored for clinical and medical use. They can come in the form of wearable medical devices or mobile or web applications. Unlike their digital health counterparts, medical apps are often utilized by healthcare providers, patients, and family caregivers in a clinical setting or for medical purposes. They are equipped with the same technological capabilities but are distinguished by their application in diagnosing, treating, or monitoring patient conditions.

A medical app or device is usually subject to more stringent regulations, also regarding cybersecurity. In the US, medical devices are regulated by Food and Drug Administration (FDA) and in the EU they fall under the scope of the Medical Device Regulation (MDR).

The biggest market share, however, is held by fitness and wellbeing apps, valued at US$93.56bn in 2024.

Leading fitness health apps

Data privacy concerns in digital health applications

The most sensitive part of each health app, but also the part that is the most valuable to a potential hacker, is, of course, patient data. One of the primary concerns with health apps is the potential for data privacy breaches. Many digital healthcare organizations collect, store, and transmit significant amounts of user data, which raises concerns about privacy and security. Patients’ sensitive personal health information must be protected to prevent unauthorized access or exploitation.

What kind of data do health apps collect?

Most health apps collect data such as name, date of birth, phone number, email address, and location. However, users often provide this information voluntarily during registration or when using the devices. A basic fitness tracker collects and stores such information as a user’s daily physical activity, including steps taken, distance traveled, GPS location, and calories burned. Some fitness trackers monitor a user’s heart rate and sleep habits, offering important insights into their overall health and well-being. Other applications, often mHealth apps, gather patient health details, including medical history, medications, allergies, and test results.

The European Union Agency for Cybersecurity (ENISA) prognoses in its Foresight Cybersecurity Threats for 2030 that targeted attacks on individuals enhanced by data collected by smart devices, including health data from wearables and medical equipment, will be one of the top future threats for the healthcare industry.

As ransomware groups advance their tactics, patients whose sensitive health data have been stolen may face extortion after a data breach (triple extortion), such as in the notorious cases of Vastaamo in Finland, Medibank in Australia and others. The experience of extortion or having sensitive medical information leaked can affect patient safety.

Digital health cybersecurity risks

With this rise in the popularity of healthcare apps comes an increased risk of cyber attacks that exploit application design and implementation weaknesses. We will now explore some of the vulnerabilities that health apps face and discuss ways companies can design their applications to be more secure and resilient to attacks, preserving confidential data and patient privacy.

It’s important to set the scene and discuss how many healthcare institutions use digital hospital systems that rely on healthcare technology industry-standard protocols, such as HL7, DICOM and FHIR.

HL7 (Health Level Seven) and FHIR (Fast Healthcare Interoperability Resources) are key standards for exchanging healthcare data. They ensure that different health information systems can communicate effectively and share information seamlessly. However, both protocols have notable security vulnerabilities.

HL7, particularly older versions, often lack robust security features, making them susceptible to various attacks. For example, HL7 messages are typically transmitted in plain text, which can be intercepted and read if not properly encrypted. FHIR, although more modern, also faces challenges. The use of RESTful APIs in FHIR can expose systems to common web-based attacks such as SQL injection, cross-site scripting (XSS), and man-in-the-middle (MITM) attacks.

Both protocols can also be vulnerable to issues such as improper authentication and authorization, leading to unauthorized access to sensitive health data. These vulnerabilities necessitate stringent security measures, such as encryption, secure authentication, and frequent security audits, to protect patient information and maintain the integrity and confidentiality of healthcare data exchanges.

Common vulnerabilities found in digital health applications

During penetration tests on health applications, several common vulnerabilities are often identified. These vulnerabilities can expose health applications to numerous cyber threats, compromising the confidentiality, integrity, and availability of sensitive patient and medical data. Many Electronic Medical Record Systems (ERMs), core systems that hold patient records, are nowadays SaaS or web-based applications, with legacy ones still running as desktop apps, making them prone to well-known security issues.

Some of the most frequently discovered vulnerabilities in the healthcare domain are:

  • Outdated or unpatched software: Health applications often suffer from unpatched software vulnerabilities due to delayed updates, which cybercriminals can exploit to gain unauthorized access or deploy ransomware.
  • Weak or stolen user credentials: Poor password practices, such as reusing or weak passwords, allow attackers to perform brute force attacks and gain access to sensitive health data. An example from 2024 was the hack of Change Healthcare, which happened through Citrix access via a stolen credential sold on the dark web.
  • Improper authentication: Weaknesses in authentication mechanisms can allow unauthorized access to health applications. This includes insufficient password policies, lack of multi-factor authentication, and vulnerabilities in session management.
  • Insecure data storage and transmission: Health applications often deal with sensitive data, making encryption crucial for both data at rest and in transit. Common findings include unencrypted databases, lack of SSL/TLS encryption for data transmission, or misconfigured encryption protocols.
  • Injection flaws: SQL injection, command injection, and other injection flaws remain prevalent. These vulnerabilities allow attackers to inject malicious code into the application, potentially leading to unauthorized data access or manipulation. As this paper shows, the popular software OpenERM used to be plagued by injection vulnerabilities, and it’s not difficult to extrapolate this assumption to other health apps.
  • Cross-Site Scripting (XSS): XSS vulnerabilities enable attackers to inject client-side scripts into web pages viewed by other users, which can be used to bypass access controls or steal information.
  • Insecure Direct Object References (IDOR): This occurs when an application provides direct access to objects based on user-supplied input. As a result, attackers can bypass authorization and access data belonging to other users, such as medical records or personal information.
  • Configuration weaknesses: Misconfigurations in servers, databases, and network devices can open up vulnerabilities. Common issues include default credentials, unnecessary services running on servers, and open ports.
  • Insufficient access control: Flaws in access control mechanisms can allow unauthorized users to access or modify data they shouldn’t have access to. This might include improper permission enforcement or flawed role-based access control (RBAC) implementations.
  • Security misconfiguration in cloud services: As many health applications are hosted on cloud platforms, misconfigurations in cloud services can lead to data breaches. This includes improperly secured storage buckets, inadequate network access controls, and misconfigured identity and access management (IAM) policies.

Addressing these common vulnerabilities requires a thorough and proactive security posture, including regular code reviews, vulnerability scanning, continuous monitoring, penetration testing, and staying informed about emerging threats. Even though they are encountered less frequently, the potential impact on the confidentiality, integrity, and availability of health data makes them critically important to identify and mitigate.

At Blaze, during penetration tests of health apps, our consultants find an average of 7 vulnerabilities, 1 of which is high-severity.

Health app pentest findings

Cybersecurity compliance requirements for the medical sector

The healthcare sector is one of the most regulated ones, as the safety of healthcare systems is often of critical importance to society. Various laws and regulations govern data protection in digital health applications, including the Health Insurance Portability and Accountability Act (HIPAA) in the US, the General Data Protection Regulation (GDPR) in Europe, or, more specifically, German DiGAV and DiPAV regulations for digital health apps and care apps. In the UK, the NHS Digital Technology Assessment Criteria (DTAC) provides a framework to ensure digital health technologies meet necessary standards. Companies must comply with these regulations to protect user privacy and avoid legal and financial liabilities.

Mental health apps have been under more scrutiny lately for exposing patient data to third parties and there is more effort globally to regulate the data security aspects of those apps.

Initiatives, such as the one in the UK by the Medicines and Healthcare Products Regulatory Agency (MHRA) and the National Institute for Health and Care Excellence (NICE), explore how best to regulate digital mental health tools not only in the UK but also globally.

Conclusion

The digital health market is growing rapidly, with more individuals turning to technology for their healthcare needs. By 2024, the global digital health market is expected to reach $193.70 billion in revenue, with the average user spending $60.04.

We can expect to see even more innovative digital health applications as technology advances. Meanwhile, these apps are already revolutionizing healthcare, making it more accessible, convenient, and effective for individuals around the world.

While using digital health applications has several benefits, they also introduce various security risks. Companies in the health sector must take necessary measures to safeguard their digital health applications and protect user data from cyber threats. Users must also ensure that their data is secure and stay fully informed about the risks associated with using such apps.

About the author

Ewelina Baran

Ewelina Baran

Ewelina is a SEO copywriter specialized in technology, more specifically in cybersecurity. She holds a masters degree in English Philology from Jagiellonian University, Krakow.

RELATED POSTS

Ready to take your security
to the next level?

We are! Let’s discuss how we can work together to create strong defenses against real-life cyber threats.

Stay informed, stay secure

Subscribe to our monthly newsletter

Get notified about new articles, industry insights and cybersecurity news