NIST Offers Guidance on Mobile App Security

A guide from the National Institute of Standards and Technology provides organizations, including health care ones, with information they need to assess security and privacy risks associated with mobile apps.

NIST and mobile apps

A new publication released by the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, provides guidance for organizations looking to improve security as employees move to mobile devices such as smartphones and tablets for their work and their applications.

The guide, Vetting the Security of Mobile Applications, provides organizations, including health care groups, with information they need to assess the security and privacy risks associated with mobile apps, whether developed in-house or downloaded from mobile app marketplaces.

In regard to health care organizations, the guide is intended to aid any of them that use mobile apps to access or collect patient information, Tom Karygiannis, a NIST computer scientist, told eWEEK. "Patients may be interested in what kind of personal data is being collected and shared with third parties by personal health care monitoring apps," Karygiannis said. "Doctors, pharmacists, nurses, administrators and insurers accessing and collecting patient health care data all have an obligation to protect this data and share it only with authorized parties."

The guide applies to apps that are downloaded from app stores, that are developed for internal use, and that are developed by health care providers and offered to the public.

Karygiannis warned that security weaknesses in an app can expose a health care provider's IT resources as well as expose an individual patient's personally identifiable information.

NIST noted that smartphone and tablet users have access to a great number of installable programs—commonly known as mobile apps—that are designed to make their lives easier, but an employee who downloads an unsafe app may unwittingly expose his or her organization's computer network to security and privacy risks.

The publication also serves a guide for developers seeking to understand the types of vulnerabilities that can be introduced during an app's software development cycle.

The guide offers plans for implementing the vetting process and considerations for developing app security requirements. It also describes the types of app vulnerabilities and the testing methods to use to detect them, as well as providing guidance for determining if an app is acceptable for an organization to use.

"Our guidance document explains that each organization has a different mission and can tolerate different levels of risk. First responders, for example, may be dealing with life-threatening situations, which may make security issues a secondary concern, but at the same time they are handling very sensitive patient information that needs to be carefully protected," Karygiannis said. "Military personnel have similar concerns, but instead of patient information, they may need to secure tactical information."

Office workers, he explained, may have access to sensitive information, but may also have a number of additional security technologies available to them to help mitigate any potential risk.

"So it ultimately depends on the context. The goal of the guidance document is to help those responsible for making the decision on whether or not to use the app make an informed decision," Karygiannis said. "We have also evaluated most of the commercial automated mobile app testing tools to make sure the tests we recommend in the guidance document can be performed, for the most part, in an automated and repeatable way because most organizations may not have the in-house software assurance expertise to assess the mobile apps."