The digitization of health care services continues to accelerate across the globe. Since the pandemic’s virtual medicine boom, users rely on mHealth apps more than ever for health tracking, telehealth appointments, prescription management, and public health updates.

Health care providers rely on mobile apps just as much, using them to monitor patients, conduct business, manage Internet of Things (IoT) medical devices, and more. Researchers estimate that the mHealth app market will reach a valuation of $155 billion by 2032.

Despite their growing adoption, many mHealth apps include major security and privacy risks. A NowSecure benchmark analysis of 595 mHealth apps found 97% of the set had security risks, while 69% had privacy risks.

Concerns about mHealth application security and privacy risks have grown so much that Congress voted to turn the U.S. Food and Drug Administration (FDA) non-binding cybersecurity guidelines into laws starting October 1, 2023. After this date, medical device manufacturers (MDMs) and health care delivery organizations (HDOs) must follow FDA requirements to ensure their products meet a reasonable level of safety from cyber threats.

With FDA regulations for mHealth apps going into effect in October, mHealth app makers are required to follow secure mobile app development best practices to deliver safe, compliant mHealth apps.

mHealth App Breaches on the Rise

 In recent years we’ve seen how mHealth app security and privacy vulnerabilities impact organizations and their users:

• The UnitedHealthcare mobile app experienced a breach that released private user information, including names, addresses, birthdates, claim information, and insurance details.
• A vulnerability in the anonymous mental health app Feelyou accidentally exposed the private email addresses of nearly 80,000 users.
• The Federal Trade Commission fined GoodRx $1.5 million for violating the Health Breach Notification Rule after disclosing users’ personal health information.
• NowSecure security researchers uncovered major vulnerabilities within Peloton mobile apps and APIs, which could have exposed users to personal information theft, phishing, and account takeovers.
• The vaccine passport mobile app developer Docket uncovered a security bug that exposed the COVID-19 vaccination records of some New Jersey and Utah residents.
• The period and fertility tracking mobile app maker Flo Health was involved in a class-action lawsuit after sharing private user data with third parties without their consent.

 mHealth organizations must recognize the consequences of inadequate mobile app security and privacy practices in order to safeguard data from potential breaches.

Secure mHealth Apps with DevSecOps Methodology

 To avoid the legal, financial, and reputational risks associated with compromised mHealth apps, organizations should apply several DevSecOps best practices to safeguard personal health information.

• Establish Standards Policy in Pre-Production: When developers and security analysts establish a standards policy in pre-production, everyone fully understands how to approach their work. Developers will know how to code, security analysts will know what to test, and the likelihood of releasing a non-compliant mHealth app will decrease significantly. Creating a policy based on a respected industry standard like the Open Worldwide Application Security Project (OWASP) Mobile Application Security Verification Standard (MASVS) helps ensure mobile apps meet a baseline level of security. Organizations developing mHealth apps can follow OWASP MASVS guidelines that meet the highest level of security for maximum protection. In addition, ensure policy aligns with FDA and any other regulatory requirements.

• Encourage Mobile AppSec Training: Functional code doesn’t always equal secure code. Many talented developers may be unaware of the secure coding techniques specific to mobile app development. Developers should regularly leverage free online courseware such as NowSecure Academy and other third-party resources to improve code quality. This helps improve the overall security of the mHealth app, while also reducing remediation time.

• Continuously Test New Builds with Automation: Mobile application security testing prevents vulnerabilities from escaping into the wild. But only running manual tests as the mHealth app nears completion often stalls progress because developers must spend extra time fixing the issues uncovered by testing. Deploying continuous automated security testing directly into CI/CD platforms allows developers to confirm the quality of their builds on a daily basis. Developers can then fix issues as they appear, decreasing the chance of security or privacy issues escaping after the mHealth app launches.

• Embed Remediation Info into Ticketing Systems: When security testing uncovers issues for developers to resolve, they often spend time searching for solutions on Google or Stack Overflow. Even if this approach solves the problem, developers waste valuable time looking for answers, which means they spend less time improving the core components of the mobile app. Embedding Just in Time (JIT) remediation instructions, code samples, training resources, and links to iOS and Android developer documentation into security issue tickets helps developers avoid searching for solutions. This creates an efficient work environment by providing all the information they need upfront and helps avoid similar problems in the future.

• Perform Guided Pen Testing: Although automation can cover 80% to 90% of security testing requirements for high-risk mobile apps, some areas still require human intervention. Features like multi-factor authentication and CAPTCHA cannot be automated, so periodically performing manual pen testing helps provide maximum coverage. NowSecure Guided Testing harmonizes powerful automation with human expertise; automation can cover the majority of testing requirements, while a professional security analyst can periodically drop in to verify the security of areas that automation can’t cover.

Maintaining compliance with FDA security and privacy requirements demands attention throughout the entire mHealth app development lifecycle. By following DevSecOps best practices, organizations can protect users from privacy breaches and safeguard their business reputations.

Learn more about FDA and CE cybersecurity requirements for medical devices and mobile apps by watching the NowSecure/Voler joint webinar “Inside the Latest FDA Guidance on mHealth Security for Your Mobile Pipelines.”

Authored by Brian Reed, Chief Mobility Officer at NowSecure. Brian is on a mission to save the world from unsafe mobile apps at NowSecure.

About Voler Systems

Voler Systems is a leading firmware design, electronics, software, and sensor development company in Silicon Valley. The company has built a solid reputation for reliable and innovative designs that meet the needs of modern businesses. With expertise in circuits, automation, motion control, and medical devices, Voler Systems is a leading provider of the underlying technologies for wearable devices, home health products, and industrial devices and applications.