A new report issued by the Sans Institute delves into the common healthcare mobile application issues faced by mobile health app developers and security professionals.
The “2015 State of Application Security – Closing the Gap” report also explores attitude differences between the two groups and highlights areas where improvements need to be made to achieve a common goal – The release of mobile health apps, on time, and with all the necessary security controls to protect data that is stored, transmitted or touched by the app. Unfortunately that goal is difficult to achieve, and impossible if the two groups do not work closely together.
Data security needs to be at the core of mobile apps, not bolted on at the end. For that to happen, mobile health app developers need to know exactly what is required in order to make their software secure and HIPAA compliant. The survey showed that many app developers are not even sure about the security controls that need to be incorporated, while security teams lacked understanding of the app development process.
435 individuals took part in the survey, with 65% of respondents coming from the mobile app security industry, while the remaining 35% were mobile application developers.
By assessing the different problems suffered by both groups, it is hoped that app developers and security teams will gain a better understanding of the others needs, requirements and deadlines; allowing closer collaboration and streamlined app development.
The study identified the following issues faced by the two groups:
Healthcare Mobile App Developers’ Issues
- The delivery of mobile apps on time
- Lack of understanding of how apps can be made secure
- Insufficient management funding
Healthcare Mobile Application Issues Suffered by Security Teams
- Identifying all applications within an application portfolio
- Fear of breaking apps with “bolt-on” security protections
- Poor communication between developers, security teams and other organization team members
Each group faces separate challenges, but both were in agreement on the biggest security risks. 74% of app developers and security professionals rated public-facing web apps as the biggest risk and agreed that addressing the interfaces should be a priority. Last year, only 38% of respondents rated web app interfaces as a major data security risk.
In order for health apps to be used by the healthcare industry, they must be HIPAA-compliant and pass security audits. This is the main driver for implementing security controls. 71% of respondents rated compliance as the main driver for enhancing security controls.
Respondents also believed it was important to enhance security to reduce the cost of a data breach, if one is suffered. 69.6% of respondents rated breach cost reduction as a major driver behind the enhanced mobile app security controls that are now being put in place.
As for industry challenges over the coming year, both groups rated multi-language apps and the number of mobile frameworks as being particularly problematic. The rapidly changing threat landscape was also highlighted as one of the major healthcare mobile application issues that must be overcome.