Issue link: https://beckershealthcare.uberflip.com/i/1353232
67 CIO / HEALTH IT 30 popular mobile health apps vulnerable to cyberattacks, PHI exposure By Jackie Drees T hirty of the most downloaded mobile health apps are highly vulnerable to application pro- gramming interface cyberattacks, which could let hackers gain access to patient health records and protected health information, according to a Feb. 9 Knight Ink and Approov report. For its report, API cybersecurity company Approov and cybersecurity content company Knight Ink tapped Alissa Knight to analyze the leading mHealth apps over a six-month period to assess cybersecurity vulnerabilities. Ms. Knight is a cybersecurity analyst and partner at Knight Ink. e mHealth app devel- opers agreed to participate in the study as long as the results were not directly attributed to the app vendors. Seven report insights: 1. For the 30 mHealth apps, the average number of downloads for each was 772,619; the researchers es- timate that the mHealth apps expose about 23 million mHealth users at minimum. 2. About 77 percent of the apps analyzed contained hard-coded API keys, some of which don't expire, and 7 percent contained usernames and passwords. 3. Seven percent of the API keys belonged to third-par- ty payment processors, which warned against hard- coding their secret keys in plain text. 4. Half of the tested APIs did not authenticate coding requests with security tokens. 5. e researchers found API keys and tokens, which are used to authenticate with the mHealth companies and third-party APIs, for Google, Microso App Cen- ter, Amazon AWS, Facebook, Salesforce and more. 6. All the tested API endpoints were vulnerable to broken level authorization attacks, which let unau- thorized users access patient records, downloadable lab results, X-ray images, blood work, and infor- mation such as Social Security numbers and family member data. 7. Fiy percent of the records accessed through the study contained names, Social Security numbers, ad- dresses, birthdates and other sensitive patient data. n How UAB Health makes IT purchasing decisions By Laura Dyrda J oan Hicks, CIO of UAB Health System in Birmingham, Ala., joined the Becker's Healthcare podcast to discuss the big challenges in health IT today and how her system makes IT purchasing decisions. Question: How do you make decisions about IT purchasing? Joan Hicks: It's certainly a decision not made just by IT. These are business decisions. It is our role, or job, to help from an IT perspec- tive. We help the requesters clearly define the problem they are trying to solve. There is so much technology out there. [We ask] what problem are you trying to solve and why? Why is that problem important? How does this solution fit into our ecosystem? It's got to fit in. There just isn't a place for the standalone isolated items. [We consider whether] there is a solution we already have in place in the 500-plus solution portfolio that either meets that need, solves the problem, or with a little bit of enhancement could it be made to do so. That is the type of data we gather and present back to our senior operations team, and they help us with those decisions. We also really look at the ownership and storage of our data and the reuse of our data. That is becoming more prevalent in all the contracts we see. Healthcare data is extremely valuable, and [vendors] want to be able to use it. Our goal is to understand for what purpose they want to use it. Even under the HIPAA regu- lations, we can still give access to tremendous information. We want to be thoughtful and drill down into what the data will be used for if it is determined that vendors can use our patients' data, for how long, and what are their plans for destruction in the future. That's one of the things we always look at: the ownership and site of where that data will be stored. n CIS rolls out free ransomware protection service for some hospitals By Hannah Mitchell P rivate hospitals in the U.S. can access a free ransomware pro- tection service funded by the Center for Internet Security. The Malicious Domain Blocking and Reporting service pre- vents IT systems from connecting to harmful web domains. CIS will use the cybersecurity and intelligence firm Akamai to support the program. CIS reported investing $1 million into the project so far. CIS already offers this service for all public hospitals, health de- partments and healthcare organizations with funding from the U.S. Department of Homeland Security's Cybersecurity & Infrastructure Security Agency. n