Mobile apps are essential to most every industry, and healthcare is no exception. Just last month, The Washington Post claimed that "the App Economy is about to explode." A research report cited by the newspaper shows a growth in app monetization of nearly 500 percent over the next five years. Most larger health providers and insurers already offer apps to their patients or clients, and nearly everyone is considering how to use apps to enhance their business and improve their service. A study from Red Hat reveals that 82 percent of healthcare organizations have or are implementing a mobile strategy, and of those, 72 percent have already achieved a positive return on investment from apps.
But healthcare companies aren't the only ones who see mobile as an opportunity: groups of threat actors now target brands. What happens if an app that was meant to drive marked improvements actually causes damage instead? While a good number of apps are hosted and procured from legitimate app stores — most commonly those from Apple and Google — an increasing number come from other sources. Unsanctioned sources may likely host bootlegged apps that may be phony, cracked, blacklisted or otherwise uncontrolled. The results range from producing material damage to dissipating value for the organization. What was intended for good becomes hijacked as an asset for some other entity or, worse, the means for malicious or criminal acts.
The app delivery landscape has become complex, not just from the volume of stores or sources for downloads, but also from the tangled relationships that exist in the delivery infrastructure. Sorting out good and bad is often difficult.
Apps in one portal or website may actually reside in another place entirely. Consumers are increasingly clicking links in social media to download a particular app, and many times, this leads to an unsanctioned source. In some cases, these apps may be fully legitimate and delivered correctly, but other times, the app may be combined with an unwanted or malicious app in the downloading process. Some could deliver a counterfeit version of the app that is beyond the control of the app owner.
In one recent analysis we performed, based on our continuous knowledge of internet and mobile traffic, 90 percent of the apps from 45 organizations we analyzed resided in unofficial, unsanctioned app stores. Only 10 percent were in official stores and fully under the control of the organization that owned them. This is the typical ratio we encounter.
Dangerous Side Effects
With such a small portion of apps under the control of their rightful owners, dangers can abound. First and foremost, uncontrolled apps may cause a provider to fall out of HIPAA compliance. If another person or entity has control of the app, they may be able to access confidential patient information or insurance claim details that could result in fraud.
Second, information from the app may not include proper disclosures and protective legal or required regulatory statements. Because the organization no longer manages or updates the app, it does not have the means to ensure that data and pages are marked with the appropriate statements or warnings.
Third, in addition to potential leaks of confidential information, data gathered from the unauthorized app that might be necessary to the physician or other professional may not make it back to them. A doctor may want self-reported body temperature, blood pressure or other details reported back for proper continuing care after surgery or treatment.
Fourth, and rather likely, updates and fixes to the app may not occur because the registration or download details were never transmitted to the app owner. At some point, this may mean that the app may stop working properly, causing sluggish computer performance or other issues and otherwise reflecting poorly on the brand holder. The app also could become the means for a cyberattacker to compromise a user's device and conduct a data breach or worse.
According to RiskIQ data, 17 percent of the apps sourced from unofficial app stores contain malware or links to malicious sites. It is possible the app that bears the brand and name of an honorable organization becomes an instrument for cybercrime. Fingers will point back to that organization, and a large-scale crisis could ensue.
The Right Medicine
The knee-jerk reaction to all of these issues might be to do away with healthcare apps or not develop new ones. Such a move would be unfortunate and potentially detrimental to one’s practice. A feature article in the Economist from March 2017 proclaims that a 'digital revolution" for healthcare is coming, and it will create "winners and losers." Apps may be key to personalized medicine and telemedicine as they develop and also may be important to various "concierge services" that practitioners are beginning to offer. Apps make life easier for patients but also can provide considerable time savings for physicians, insurers and administrative staff. Wearable sensors are being integrated with apps to provide feedback to patients and data for medical teams.
Rather than doing away with healthcare apps, it is crucial that companies monitor and police the distribution and use of their apps. Such vigilance requires a comprehensive, real-time service that can distinguish the use of your brand and identify your apps. A service can be integrated with existing security operations or by those responsible for the organization's brand. Smaller providers could ask their outsourced security service to add mobile app monitoring.
Don't fear the future and run from new technologies that offer substantial benefits. Like everything else in medicine, every cure has its share of risks, and with proper caution and skill, they can be minimized for the overall good.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.