Keeping Mobile Health Apps Free from Bot Diseases

By 2026, Singapore will be a “super-aged” society, with 21% of the population aged 65 and above.

In anticipation of the changing demographic, the nation has begun to prioritise healthcare technology to encourage independent aging and reduce the workload on healthcare workers. Mobile health apps are bridging the gap between healthcare professionals and the citizens who need them.

Senior citizens have been the main target of these initiatives, and outreach programmes by volunteer groups have been arranged to encourage their adoption of health applications. Further to that, Singapore's Minister of Health, Ong Ye Kung, announced an extension of Medisave subsidies to include remote healthcare services. 

Despite this, mobile health apps are plagued by security risks that can expose patients to all manner of cyber threats. One such threat is bad (or malicious) bots that can obstruct treatments, expose sensitive information, and put patients' lives at risk. Given the critical role mobile health apps play in society, app makers should not delay reinforcing their protection measures so they can continue serving their communities.

Malicious bots and their effects on mobile health apps

Malicious bots are a form of malware created by cybercriminals to automate attacks, including fraud and data theft.

Because mobile health apps typically handle huge volumes of patient and healthcare data, they are a favorite target of cybercriminals. Now that the National Electronic Health Record (NEHR) system is ramping up in its efforts to set up a universal data system, the exposure to malicious attackers has increased. In the wrong hands, the network information that connects doctors and patients with the healthcare organization, including SSL certificates, API protocols, server addresses, and usernames can provide access to the backend server, making systems more vulnerable to malicious bot installations that enable attacks such as: 

Account Takeovers (ATOs)

This happens when hackers make use of stolen credentials to access an account to launch an additional attack. For healthcare industries, this could result in a loss of personal identifiable information (PII). 

Credential stuffing

This is a type of brute force attack where several combinations of usernames and passwords are automatically keyed into the system until a successful login is secured. Alternatively, hackers may create a fake application and attempt to impersonate a trusted partner of the data centre. Ultimately, the attacker’s goal is the data centre that holds the PII. 

On the patients' side, bot attacks can delay crucial and timely treatments, causing medical conditions to worsen or, in worst-case scenarios, spawn fatalities. They also increase the risk of sensitive data being stolen and abused in subsequent attacks, including patients' personally identifiable information (PII). For example, attackers can send fake phishing links via SMS or email, instructing the user to confirm their visit by filling out forms or downloading a bot-infected app.

These scenarios can potentially derail the nation’s agenda to revolutionise the healthcare sector through technology. Moreover, hospitals and clinics may feel fatigued from cyber threats and inconvenience caused by hackers such as having to put the NEHR on hold or being imposed with a temporary Internet surfing separation. Given that mobile health apps are one of the weaker links in the healthcare landscape, organizations need to provide them with the best protections possible to reduce the likelihood of cybercriminals successfully achieving their objectives.

Effective Bot Prevention Measures

Traditional anti-bot offerings have struggled to keep pace with the ever-changing techniques malicious bots employ to evade detection and maximize the amount of damage they can unleash. Some solutions even include bot defense methods that are only designed for web platforms and not mobile apps. To implement these methods, developers often need to modify the entire mobile network stack and limit their security capabilities, leaving large parts of the infrastructure vulnerable to malicious bots.  

What app makers need is a comprehensive mobile defense solution capable of stopping automated tactics with minimal engineering work needed to get them up and running. Mobile bot prevention measures should use application fingerprinting to identify legitimate requests and malicious ones originating from trojans and fake programs. They should also conduct pre-authentication processes to prevent Man-in-the-Middle tactics from detecting data in transit and anti-bot payloads.

As telehealth picks up in Singapore, our reliance on the mobility and interconnectedness enabled by mobile health apps can be exploited. Mobile apps connect host servers to perform tasks such as authentication, content downloads, and connection to other mobile resources. Mobile apps also connect to 3rd-party services embedded in the app, such as payment providers, analytics vendors, and location services. As a mobile app connects with the larger data ecosystem, hackers and malicious parties exploit weaknesses to conduct network-based attacks that target the backend. Mobile health apps can be a lifesaver for users who need emergency treatment and, therefore, cannot wait for transportation. With time being crucial to saving lives, cyber threats like malicious bots will only serve to disrupt healthcare professionals' capabilities. This is why mobile security is so important, as it enables doctors and specialists to concentrate more on helping their patients and worry less about hackers targeting them.