“Cyber-attacks in the healthcare space are nothing new. As an industry, healthcare has always been a hot target for cybercriminals,” says Bill Horne, CTO, and GM, Intertrust Secure Systems, in an exclusive interview with ITSecurityWire.
ITSW Bureau: What are the top data security vulnerabilities associated with healthcare and medical apps?
Bill Horne: According to our report – Intertrust Technologies 2020 Security Report on Global mHealth Apps – the largest category of data security vulnerabilities is related to mishandled and/or weak encryption. A full 91% of the apps we tested had cryptographic issues that put their data at risk. For example, 70% of iOS apps were found to have misconfigured App Transport Security (ATS), which can leave data open for an interception in transit. Other cryptographic vulnerabilities include weak key derivation algorithms, short HMAC keys, insecure SSL certificate pinning, and insufficient transport layer protection.
ITSW Bureau: Tracking apps are critical to any nation’s hopes of managing the COVID-19 pandemic, but, as Intertrust’s report suggests, they can expose users to potential threats, including data leakage. How can this situation be improved?
Bill Horne: Many of the issues can be resolved by secure design practices—when possible, don’t store critical information on the device; validate all inputs; use strong encryption methods; make sure encryption keys aren’t inadvertently exposed. The problem is that the need for rapid deployment can lead to shortcuts, and even with all the time in the world, errors can’t be fully eliminated. However, issues can be mitigated by embedding protection technologies into the application that makes it more difficult to find and exploit these vulnerabilities.
ITSW Bureau: How important is Key Protection, and what are your top tips for managing encryption key extraction vulnerabilities?
Bill Horne: Encryption is only as secure as the key itself. If the key is lifted, the whole purpose of encryption is lost. Nearly one-third of all the mHealth apps we analyzed are vulnerable to crypto key extraction. Unless the app can leverage underlying hardware security mechanisms, the best defense here is using white-box cryptography. White-box crypto provides an additional security level so that even if the app is running on a jailbroken or rooted device, where the device-provided securities can be breached, the encryption keys continue to stay protected. Such in-depth defense is also important to protect against side-channel attacks that can bypass hardware-based protections.
ITSW Bureau: Healthcare, as an industry, has become something of an easy target for cybercriminals during the pandemic. What are the most significant vulnerabilities facing the industry (as a whole), and how is the industry tackling them?
Bill Horne: Cyber-attacks in the healthcare space are nothing new. As an industry, healthcare has always been a hot target for cybercriminals. The global pandemic has just made things worse. In addition to mobile apps, many internet-connected medical devices have made healthcare organizations more vulnerable. All this is very real. Just a few days ago, we witnessed the first-ever patient fatality caused directly by a cyber-attack on a hospital in Germany.
Most healthcare providers are quickly trying to transition to a predominantly telehealth style format, allowing their doctors to interact with patients through apps, provide medication details, drug order management, etc. The healthcare industry holds a lot of important and personal data about patients, including their medical records, medical history, and insurance records – all of which are very valuable. We’ve seen that most healthcare institutions are serious and committed to protecting the privacy of their patients, but the fact is that most of them are still far behind in adopting cybersecurity practices that can keep them ahead of the curve.
Ransomware, phishing attacks, data theft, etc. are all significant vulnerabilities facing the healthcare industry. In order to protect themselves and their customers, many healthcare companies have started to adopt new anti-ransomware, anti-malware, anti-phishing tools. It is important to remember that everything starts with the application code. We are recommending companies start employing stronger protections for their apps and encryption keys using technologies like in-app protection and white-box cryptography to make it so difficult for hackers to break the app that they give up and move on to a different target. Many healthcare providers are also helping educate their customers about cybersecurity, and by implementing the use of stronger passwords, two-factor authentication, and stronger encryption, help fight these new challenges. What is needed is for companies to fully follow the zero-trust approach – meaning that you do not trust any device or user by default and always perform necessary checks before granting access to services.
Bill Horne leads Intertrust’s Secure Systems product group and is responsible for the company’s authentication, root key services, and software tamper resistance products. Prior to joining Intertrust at the end of 2016, Horne was the Director of Security Research at Hewlett Packard Enterprise, where he led a team of R&D security experts who supported HP’s security product efforts. Prior to HP, Horne was a research scientist at Intertrust’s STAR Lab from 1997-2002, and prior to that at the NEC Research Institute in Princeton, NJ. Horne is a prolific inventor and technical author. He has authored over 50 peer-reviewed publications in the areas of security and machine learning and holds 33 granted patents and 44 patents pending. Horne holds a B.S. in Electrical Engineering from the University of Delaware, and M.S. and Ph.D. degrees in Electrical Engineering from the University of New Mexico.