NIST released a mobile application security guide to help organizations implement the right mobile applications for their facility.
- Without the necessary mobile application security measures, a healthcare facility runs the risk of exposing sensitive data, such as patients’ protected health information (PHI). This is especially true with the increase in mobile usage at healthcare facilities, and more institutions implementing BYOD policies.
The National Institute of Standards and Technology (NIST) recently released “Vetting the Security of Mobile Applications,” a guide to help organizations vet mobile applications and ensure that they are able to properly assess the security and privacy risks associated with mobile apps.
“To help mitigate the risks associated with app vulnerabilities, organizations should develop security requirements that specify, for example, how data used by an app should be secured, the environment in which an app will be deployed, and the acceptable level of risk for an app,” the report’s authors explained in an executive summary. “To help ensure that an app conforms to such requirements, a process for evaluating the security of apps should be performed.”
Along with an app vetting process, it is also essential to properly test any new mobile applications, according to NIST. It’s necessary to check for software vulnerabilities by services, tools, and humans to derive vulnerability reports and risk assessments, the authors explained.
From there, an organization must either approve or reject the mobile application in question. This process consists of evaluating the investigative reports and risk assessments. Moreover, additional criteria can determine if the app will conform with the facility’s organizational security requirements and if it would be a good fit with the organization’s current mobile devices.
NIST outlined five main aspects in the process of choosing an app that it wanted its mobile application security guide to cover:
- Understand the process for vetting the security of mobile applications
- Plan for the implementation of an app vetting process
- Develop app security requirements
- Understand the types of app vulnerabilities and the testing methods used to detect those vulnerabilities
- Determine if an app is acceptable for deployment on the organization's mobile devices.
Each healthcare organization is going to be different, and will likely require any chosen mobile applications to accomplish different goals. While the NIST guide consists of general guidelines for all types of industries, the healthcare sector can benefit from several key takeaways.
For example, the guide's authors stated that it was crucial for a facility to create a plan before it even begins the app vetting process, according to the guide’s authors. This could easily align with a healthcare organizations privacy and security guidelines that it must adhere to.
“Before an organization can implement an app vetting process, it is necessary for the organization to first develop app security requirements, understand the limitations of app vetting, and procure a budget and staff for supporting the app vetting process,” stated the NIST guide.
Along with specifics on the app vetting process, the NIST guide also discussed how organizations can can test new mobile applications. This includes but is not limited to general app security requirements, issues and recommendations surrounding the sharing of app information, and Android and iOS vulnerabilities.
“If an app is approved, procedures must be defined that specify how the approved app should be processed and ultimately deployed onto the organization's devices,” the guide’s authors explained. “Similarly, if an app is rejected, a procedure may specify the steps needed to identify an alternative app or to resolve detected vulnerabilities with the app developer. Procedures that define the steps associated with approving or rejecting an app should be included in the organization's app security policies.”