The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a medical advisory about a vulnerability that has been identified in the Philips HealthSuite Health Android App which would only take a “low level” of skill to exploit.
The Philips HealthSuite Health Android App is used by individuals to help them achieve activity targets and health goals. The app collects user information such as body measurements and health data, and uses software to collect activity measurements. The app may therefore store a great deal of private information about the individual’s health and habits. The app is used by individuals in the United States, Netherlands, Germany and the United Kingdom.
While the app uses encryption to store user data and prevent unauthorized individuals from gaining access to the information, the encryption used was deemed too simplistic by security researchers. Officials wrote “A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.”
As a result, an attacker with physical access to the app could exploit the vulnerability to gain access to a user’s data. The vulnerability could not be exploited remotely. Therefore, while the encryption itself is weak, the need for proximity to the device results in the risk to users being assessed as low. The vulnerability, tracked as CVE-2018-19001, has been assigned a CVSS v3 base score of 3.5. The vulnerability is present on all Android version of the app.
Philips will be releasing a new version of the app in the first quarter of 2019 which will use a stronger method of encryption for user data. In the meantime, Philips recommends not using the app on rooted or jail-broken mobile devices as doing so would weaken security and increase risk.
“At this time, Philips has received no reports of exploitation of this vulnerability or incidents from clinical use that we have been able to associate with this vulnerability, Philips analysis indicates that there is no expectation of patient hazard due to this issue,” officials said in a statement.
As more and more people use apps and other personal devices, such as smart watches, to store healthcare information, industries must ensure that their security settings are up to the standards required by data protection regulations. The black-market value of medical information is huge, and therefore hackers will exploit easy targets if they find them to gain access to private information.
While the use of mobile devices in healthcare may reduce costs and expedite care, caution must be practiced. Little is known about the privacy and security risks which come with the use of mHealth apps (mobile health applications). A thorough investigation is needed into all applications which store confidential medical information to ensure that they have robust and strong technical safeguards in place.
