Zero Trust for Mobile Healthcare: Protecting ePHI on Personal Devices

The proposed updates to the HIPAA Security Rule aim to address specific cybersecurity threats related to mobile devices and applications that access electronic protected health information (ePHI)1....

These threats include:
• Cloned/modified apps: Addressing the risk of fake apps that can download malware, viruses, or steal credentials to access backend systems3.... App attestation is suggested as a way to verify that apps accessing ePHI are genuine and unmodified5....
• Device manipulation: Providing run time protection against device manipulation, where hackers can jailbreak or root devices and use tools to steal data or modify app operations7.... The proposal suggests continuous scanning for problematic software and real-time reporting of device environment states, with the ability to block requests from compromised devices8....
• Man-in-the-middle attacks: Protecting against the interception and manipulation of mobile device communications to steal sensitive information7.... The proposal suggests the implementation of dynamic pinning on all communication channels used by healthcare apps, including to third-party APIs, as well as blocking tools that enable trust store manipulation or MitM attacks11....
• API secret protection: Preventing hackers from using weaponized mobile apps to scale up attacks on critical APIs by stealing API keys7.... The proposal suggests that API keys for accessing ePHI APIs should never be stored in mobile app code, but delivered only as needed to verified apps via attestation15....
• Identity exploits: Protecting against identity theft and credential stuffing attacks by using app and device attestation at run time for zero-trust protection7.... The proposal suggests tracking signs of identity abuse as a requirement for run time security monitoring17....
•
Breach readiness and service continuity: Encouraging organisations to prepare for potential security incidents with protocols for addressing breaches, such as revoking access, quarantining affected systems and conducting investigations7.... It suggests that Incident Response plans should extend to third-party breaches and highlight the management of API Keys and certificates.

Relevant links for the podcast:
• Approov Limited: 
◦Website: www.approov.io
• OWASP MASVS (Mobile Application Security Verification Standard): Provides guidelines for mobile app security
•NIST (National Institute of Standards and Technology): Cited in the context of incident response plans
•HHS 405(d) Program: Offers health industry cybersecurity practices8....
•Federal Trade Commission (FTC): Provides a guide for business security8....
•Department of Health and Human Services (HHS): Offers Cybersecurity Performance Goals (CPGs)8....
•ONC Health IT Certification Program: Maintained by the Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology (ASTP/ONC)10.
• Regulations.gov: For the plain-language summary of the proposed rule and posted comments11:
◦ Go to https://www.regulations.gov and search for Docket ID number HHS-OCR-0945-AA22.