Mobile App Risks in Highly Regulated IndustriesBy Madeline Weiss
Mobile App Risks in Highly Regulated Industries
By Madeline Weiss
Since the introduction of the iPhone in 2007, mobile apps have enabled owners of smartphones to use their devices as personal computers. A 2013 Pew Research Center study determined that 63 percent of adult cell phone owners access the Internet from their mobile phones. By 2017, it is estimated that 87 percent of connected device sales will involve smartphones and tablets. Ericsson and Cisco estimate there will be 50 billion connected devices, including sensors, by 2020.
Companies continue to benefit financially from developing mobile apps for customer and employee use. Sales through eBay mobile apps doubled from $5 billion in 2011 to $10 billion in 2012. In fact, mobile transactions now represent 16 percent of eBay's total sales. Mobile-generated revenue from the iTunes store is $4 billion per quarter. Early results indicate that Walgreens' mobile app that allows customers to print photos and coupons, transfer and refill prescription medications, and chat with pharmacy personnel leads to six times higher in-store sales when compared with customers who only shop in store. According to recent research, mobile workers work up to 1.75 more hours per day than non-mobile workers. And mobile insurance adjusters handle approximately 7.4 more claims a week than their counterparts in an office.
The risks associated with mobile app deployment come from multiple sources, including networks, carriers, operating systems and apps. In June 2010, hackers exploited a vulnerability through AT&T that exposed e-mail and contact information of 114,000 iPad users. And in January 2014, it was reported that users' personal data in the Starbucks mobile app was stored in unencrypted plain text. Fortunately, a whole industry has developed to mitigate these myriad risks, thereby clearing the way for greater use of mobile apps across industries.
But companies in highly regulated industries, such as financial services, pharmaceutical, health-care and insurance, face additional risks that must be carefully navigated. Steep fines can be levied to these organizations if personal data are compromised.
Conforming With Regulations
Mobile apps deployed by financial and insurance companies in the U.S. must conform with regulations that mandate keeping records of all oral communications leading to the execution of swaps (Dodd-Frank), storing records in electronically readable format for five years (Commodities Futures Trading Commission Rule 1.31), adhering to securities industry guidelines on social media postings (FINRA), protecting privacy of information collected on customers (Gramm-Leach-Bliley), following ACH and EFT payment regulations (FDIC), and complying with individual state regulations.
Despite monitoring and controlling security vulnerabilities in their systems, many firms have not been able to keep up with cybercriminals. In 2013, the Citadel Trojan, one of the fiercest malicious attacks on online applications, was morphed into the Citadel-in-the-Mobile to attack Android devices by installing itself onto devices and intercepting one-time passwords and authentication messages sent by a bank to a mobile device. Today, developers attempt to mitigate these risks by implementing such practices as offering back-end, risk-based authentication, detecting unusual activity or requests, and increasing security features on the app beyond a platform's security. Ultimately, however, companies have no control over the mobile device itself. Although mobile app developers identify and patch security vulnerabilities, mobile owners may not update their apps or operating systems, thereby putting their devices and the information contained on them at risk.
Mobile medical apps deployed by health-care companies must conform with regulations that set standards for use and disclosure of individuals' health information in order to ensure both patient privacy and quality of care (HIPAA), that require data breach notifications (HITECH), and that require adherence to guidelines set for medical devices (FDA).
Since many mobile devices and apps have substandard security protocols and safeguards, more U.S. federal agencies are stepping in to monitor and regulate them. Companies seeking to innovate through mobile health technology may need approvals from the FDA, as well as the FCC and the FTC. In May 2013, for instance, the FDA admonished Biosense Technologies Ltd of India for its urinalysis app uCheck, which prompts customers to buy commercially available urinalysis pads that soak urine and change colors depending on the enzymes detected in the urine. Once the customer has completed the urine test, he or she sends a photo of the pad to uChek and is notified of the result based on the concentration of substances. According to the FDA, uChek needs its approval.
Mobile App Risks in Highly Regulated Industries
Protecting the Privacy of Children
The FTC has been increasingly concerned with the security of apps offered for children in the Google Play and Apple App stores. It found that children's apps siphon vast amounts of information from mobile devices such as device ID, geolocation and phone number. Of the apps surveyed by the FTC, almost 60 percent transmitted information accessed from the user to advertisers, analytics companies and other third parties. In 2013, operators of the mobile app Path were fined $800,000 by the FTC for deceptive and misleading conduct in collecting personal information. For this and other reasons, the FTC is expected to become a more engaged regulatory force in protecting consumer privacy.
Vulnerabilities due to the rapid growth of social media services like Facebook, Twitter, Instagram and YouTube must be considered as well. Although many of these services were launched for a desktop audience, they have quickly become one of the primary uses of smartphones with over 85 percent penetration. Of the one billion Facebook users, 200 million are mobile only.
Health insurance companies use social media, health gaming apps and other mobile health apps to increase users' engagement in their own healthcare. For example, Blue Cross Blue Shield's health challenge app, MeYouHealth, seeks to encourage positive behavior change through gamification and social interaction. The app encourages healthy behavior change by giving users small challenges to complete that they can share with friends on Facebook and Twitter. When apps are merged with social networks, they routinely request permission to access data from a user's device or they list the data they intend to access from the device as part of the terms and agreements of downloading the app. In most circumstances, users cannot select those terms with which they agree. And even unused apps access data that users thought were private. Moreover, mobile apps that allow for easy authentication between apps may trigger additional vulnerabilities for data leakage through unintended posts to social networks.
Each company, and most especially those in highly regulated industries, should decide how best to handle risks in light of penalties for non-compliance. Even large companies such as Apple have had to reevaluate their security practices after, in 2013, scientists created malware that managed to bypass every security measure Apple had installed to protect users. Waiting until an attack or penalty is not a desired strategy especially in an age where reputational risks can be so costly.
For a report by SIM's Advanced Practices Council titled "Mobile App Development in Highly Regulated Industries: Risks, Reward and Recipes," click here.
About the Author
Madeline Weiss, Ph.D., is director of the Society for Information Management's Advanced Practices Council, a research-based program for CIOs and senior IT executives.
To read her previous article for CIO Insight, "What a Difference Agile Development Makes," click here.