A healthcare CISO must always be vigilant for the latest software threats and, nearly as importantly, know how to weed out high-risk security defects from always-present minor flaws. Mobile security is high on CISOs’ priority lists these days, as complications can range from human error such as leaving a phone unattended to technical issues such as encryption or network hacks.
A recent net-security.org article laid out some interesting mobile security vulnerabilities for both Android and iOS software that directly relate to BYOD concerns a security officer may have. The Android susceptibility that was publicized after an August 11 Bitcoin wallet hack, according to Google, was a result of the operating system (OS) not properly seeding the PRNG (pseudo-random number generator) used by the built-in cryptography APIs:
“We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG,” explained Android security engineer Alex Klyubin in a post on Google’s Android developers blog on August 14.
Without the randomness in key generation, a hacker’s job in guessing the encryption keys and the contents of encrypted data becomes that much easier. While Bitcoin has only recently started making inroads in healthcare as a form of payment, regardless of the application, these types of software vulnerabilities should be worrisome in that encryption has yet to evolve into an exact science.
Furthermore, the article pointed out that the Apple application store approval process is no longer the iron-clad security gate that it once was. Seeing as a group of Georgia Tech researchers were able to submit a malicious application to the Apple app store, CISOs must be wary of iOS hacks as well. This isn’t to say that security personnel can control whether there are malicious applications available to clinical staff as consumers in a BYOD scenario. But they can stay updated on the known software weaknesses that are out there and work with staff on ameliorating those risks instead of locking them out of the software entirely.
Keeping patient data safe and secure should be the primary goal and knowing that mobile OSes are, by nature, prone to flaws and security gaps should be taken into account when forming BYOD policies and procedures.