Way back in January 2016, Arxan Technologies published a report looking at the security of health apps. At the time the firm’s senior technical director, Winston Bond, stated that while most uses of such apps believed them to be secure, “most have significant vulnerabilities”.
Fast forward to the present, and the recent drive by secretary of state for health and social care Matt Hancock for the NHS to adopt more apps, with a view to improving clinician communication and workflow and patient convenience.
In a speech to staff at his local hospital, Hancock said “let this be clear: tech transformation is coming” and added that “the right use of technology can save time and money, it can improve patient safety too”.
Security is the elephant in the room
In and of itself I don’t have a problem with any of that. I do, however, have a problem with the elephant that remains in this particular room: security.
Sure, a list of approved applications maintained by NHS England makes for good media soundbites, but does it really mean much when it comes to security? I’m inclined to think not, truth be told.
App development security is a complex area, even for those of us who spend our entire working lives wrapped up in security issues. It’s made more complicated by the whole desire for DevOps that currently exists. As the name suggests, this is a bringing together of ‘development’ and ‘operations’ to be able to deliver applications at a faster velocity than traditional processes would allow.
Unfortunately, in this rush towards automation of the development and delivery process, security is often an afterthought; a bolt-on item rather than built in from the ground up.
When vulnerability is a component
A majority of app developers will be implementing components such as libraries and frameworks that are often open source, and that run with the same privileges as the application itself. This isn’t a problem, unless those components come complete with known vulnerabilities.
Ha, I hear you exclaim: if they are known then they will be fixed, and that’s that. Apart from all too often it isn’t. If it were then, ‘using components with known vulnerabilities’ wouldn’t have remained in the Open Web Application Security Project’s top 10 application security risks for the past five years straight.
As OWASP itself states: “Applications and APIs using components with known vulnerabilities may undermine application defences and enable various attacks and impacts” and “can facilitate serious data loss”.
But the NHS wouldn’t allow such apps to make it onto the approved list, would it? I’m not so sure. Really, I’m not. Are NHS England or NHS Digital going to examine app code in depth for security vulnerabilities? Are they going to insist that all approved apps have binary code protection in place to help prevent tampering that could lead to privacy violation? Is there really going to be any difference, in security terms, between approved and not-approved apps? I think you can probably guess in direction my thoughts are sadly heading.
Approval doesn’t necessarily mean security
And I’m not the only one. I started this column with the thoughts of Winston Bond from Arxan Technologies from a couple of years ago, so let’s finish with his thoughts following on from the Hancock declaration of app intent.
“Even though an app may be approved by the NHS, it is still as vulnerable as an unapproved app,” Bond has said. “As a baseline, medical device manufacturers and developers need to thoroughly test the applications to ensure they are effectively protected against cyber-attacks and exploits. Crucially, this must be done before they come onto the market.
“The healthcare community should understand this concept better than anyone, just as prevention saves lives and reduces care costs, this same approach needs to apply to app security.”
I’ve said it before, and I will say it again: value for money must not override application security when it comes to approval systems. If the NHS is to adopt more apps, then it must also adopt an approval system with teeth. If that means looking to independent third parties with the relevant knowledge to properly accredit applications as secure, then so be it.