Amid DTx apps boom cyberattack risks threaten patient data, medical services

Digital therapeutic (DTx) apps have become integral to healthcare, offering innovative solutions that combine behavioral changes with drug treatments. As these apps gain prominence, the risk of cyberattacks looms large, threatening patient data and medical services.

At their core, DTx apps are a useful tool in facilitating patients’ self-care and preventing medical conditions from escalating. However, the information contained within the apps makes them an inviting target for cybercriminals. For app makers, demonstrating patient care does not just begin and end with providing the best treatments. It also means protecting their patients from harm, including those originating from mobile threats.

What makes DTx apps a target?
Across India, there is evidence that organizations are adopting mobile services to better their patients’ health. In particular, startups like Amaha, Lissun, and Clarity are competing to capture a part of India’s mental health app market, which is expected to experience a compound annual growth rate (CAGR) of 15 percent within the next four years.

While this is a promising trend, data security is a significant concern amid an ever-evolving threat landscape. As patient data is fully digitalized, protecting that data is critical. Around the world, there are many data privacy and data protection regulations that healthcare organizations need to abide by with regards to Protected Health Information (PHI) and Electronic Protected Health Information (ePHI). These regulations are to ensure that the Electronic Health Records (EHR) stored in mHealth apps remain confidential and cannot be compromised, changed or stolen. Regulations such as HIPAA in the USA, PIPEDA in Canada, GDPR in the EU, DPA and CLDC in the UK. India released its own version in August 2023; the Digital Personal Data Protection Act or DPDP.

In additional to protecting the data inside the mHealth and DTx apps, app makers also need to protect their apps against the ubiquitous threat from ransomware, which can cause healthcare professionals to lose access to Electronic Health Records (EHR) and delay treatments.

The key takeaway here is that DTx apps are today at a crossroads. Their security – or lack thereof – doesn’t just jeopardize sensitive patient information, but could also endanger lives.

Navigating the mobile threat landscape
Developers of digital therapeutics apps need to watch out for and combat these five mobile attacks to ensure a safe and comfortable experience for their patients:

1. Theft and loss of electronic health records
There are 3 elements to ensure that confidential patient data cannot be compromised, lost or stolen: (1) ensure that only authorized users can open the app; (2) encrypt all data in the app and (3) encrypt the connection between the app and the backend server.

At an absolute minimum, app makers should require patients to enter their username and password each time they open the app. Patients should also automatically be logged out after a certain time of non-use. And apps should increase the access security by using biometric authentication or multi-factor authentication (MFA) and protect against attacks that leverage deep fakes to bypass biometrics and attacks that can intercept and steal MFA tokens.

The second element of secure data storage is data encryption (data-at-rest encryption). Mobile healthcare and DTx app makers can achieve this with encrypting all the data stored in the app using the AES-256 encryption algorithm. This should include not only patient data in the application sandbox but also data stored in the strings, resources and in-app preferences.

Finally, by encrypting all data-in-transit, patient data sent or received cannot be intercepted by network-based attacks such as Man-in-the-Middle. Finally, app makers should use best practices to validate both client-side and server-side digital certificates.

2. Jailbreak and rooting techniques
Malware allows attackers to jailbreak or root devices to gain administrator privileges. Once they have achieved this, it becomes easier for them to steal information stored inside application sandboxes and SD cards or create vulnerabilities within operating systems. Integrating jailbroken or rooting detection solutions can help app makers stay one step ahead of these tactics. Moreover, app makers should also incorporate features that prevent attackers from concealing rooting tools, including Magisk and Zygist.

3. Spyware, keyloggers, and mobile malware that target patient data in DTx Apps
To ensure mobile patient privacy and confidentiality, developers and security professionals should guard against unauthorized access to, and theft of, patient data and electronic patient health records and information (EHR) stored locally on the device or in the mobile app. Perhaps the easiest way to do this would be ensuring that only the authorized patient can access his or her records via the mHealth app. This can be achieved with a combination of proper authentication for mHealth Apps, and strong mobile malware defenses that prevent app overlay attacks, prevent keylogging, and data loss prevention measures such as preventing copy-paste functions from the app, as well as encrypting the app clipboard.

4. Fake versions of DTx apps
Reverse engineering allows hackers to create fake versions of apps that appear similar to legitimate ones. These apps can then be distributed to users, enabling attackers to steal personal data, redirect them to malicious sites, or even trick them into purchasing fake or low-quality items through false advertising.

Healthcare organizations can combat these tactics by implementing app-hardening solutions and code obfuscation that make it difficult for attackers to repackage app contents. Organizations should also include emulator prevention features that block attackers’ attempts to study and mimic the app’s functionalities.

5. Be ready for the new threats of tomorrow
App makers should always be vigilant and on the lookout for new threats and attacks. MHealth apps are very attractive to hackers looking to steal confidential patient information, or just alter patient data with the aim of causing harm. Hackers and Malicious actors will always be looking for new ways to achieve their goals. App makers therefor cannot be content with the existing protections in their apps, but need to have the flexibility to easily upgrade their protections when new threats rise on the horizon.

DTx apps are an innovative way for healthcare providers to deliver treatment, regardless of where their patients are located. However, great care must be taken on the app maker’s part to ensure that their patients are protected from mobile threats. By building the recommended defenses for their DTx apps, app makers can deliver wellness and ease of mind for their patients. The Financial Express