The NHS Digital Apps Library utilized rigorous vetting procedures to ensure the Library’s mobile applications were fit for purpose and met appropriate criteria (i.e., health merits, accessibility, technical stability, security and privacy). They leveraged Kryptowire’s automated mobile application security and privacy testing solution and realized significant benefits in time and cost-savings.
Around the world, end users continue to adopt a mobile-first approach to technology, and the world of healthcare offers no exception. As more patients, caregivers, and professionals rely on phones and tablets to live and work, the need for strategic and proactive mobile application security measures has grown in lockstep. Patient health information has been a prime target for hackers in recent years, with several high-profile security breaches making global news. Rather than play catch-up against bad actors, healthcare application developers, device managers, library hosts, and other cybersecurity stewards should rigorously search for and patch detectable vulnerabilities.
We had the privilege of partnering with the National Health Service (NHS) to help validate their digital apps library, helping safeguard patients, clinicians, health and social care workers across the country. Using our proprietary, end-to-end, closed-loop security engine, we rapidly assessed applications in the library against stringent standards established by the NHS, as well as helped the NHS locate specific, potential issues relating to COVID-19 apps.
Here’s a short overview of how we did it, as well as some lessons learned for healthcare technology leaders. If you want to learn more, download the official whitepaper.
The ask: assess the security and privacy of the NHS Digital Apps Library – and do it efficiently
Prior to working with Kryptowire, the NHS Digital Apps Library managers developed a set of criteria for all applications in its library. A hosted application needs to be safe and secure to use, providing evidence of clinical safety, security, and technical stability.
To facilitate validation, the Library team developed the Digital Assessment Process (DAP), which included a Digital Assessment Questionnaire (DAQ) to be completed by submitting developers. Completed DAQs were assessed by the Library development team and associated personnel, including a clinical panel, security personnel, and technical stability experts.
Although this process proved rigorous, the length of time required to complete a given DAP-based validation varied considerably on reviewer availability, the app’s technical complexity, and the results of initial findings. To continually improve the DAP and reduce the time and cost associated with publishing apps, the NHS engaged Kryptowire to provide a highly-efficient, cost-effective security and privacy solution.
The solution: rapid, automated, standards-based analysis
Kryptowire has developed a proven, proprietary, cloud-based solution for mobile application and device security. Our automated engine utilizes Static Analysis, Dynamic Analysis, Behavioural Analysis, Forced Path Execution, and other proprietary functions to deliver comprehensive, auditable, and repeatable results. The NHS partnered with us to automatically scan Library apps for security and privacy vulnerabilities, provide detailed reporting on identified issues, and to reduce the total time required for an application to clear the validation process.
Following a successful Pilot, the NHSD Apps Library Team utilized Kryptowire to analyze the security and privacy of the Library’s apps.
- The average time taken for validating the apps’ compliance against stringent standards was 36 minutes.
- App updates ranged from 2 to 25 times.
All scans were completed against the NHS’s specific standards. To inform NHS decision-making, we provided a dashboard including high-risk results to help triage remediation activity. Evidence provided included issue location, impact, links to relevant standards, and remediation advice. Additionally, on a daily basis, our watchlist facility automatically scanned the app stores to look for updates to the published apps, factoring materially relevant update information into regular reporting.
Key benefits and lessons learned
Beyond improving the security and privacy posture of the Library’s many apps, Kryptowire’s approach saved the NHS significant time and resources, removing considerable amounts of manual review and delivering high speed against stringent standards.
Along the way, we demonstrated several principles relevant to mobile application and device security in the healthcare space:
- Application validation is essential. Manually validating applications against security and privacy standards, at scale and factoring update timing, is slow, expensive, and less rigorous compared to automated validation.
- Standards-based reporting improves quality. Creating a validation process that includes and factors a comprehensive range of technical and regulatory standards leads to better outcomes overall.
- Continuous review of updates is crucial. As development cycles speed up and updates roll out more frequently, an automated way to audit application content against established standards is important for maintaining momentum in the cybersecurity battle.
Discover more about Kryptowire:
Kryptowire’s end-to-end security and privacy monitoring platform helps developers and enterprises, including those in healthcare, take full advantage of modern, mobile technologies without putting their organization or patient’s privacy at risk. Kryptowire’s platform provides closed-loop, automated vulnerability and compliance analysis that prioritizes the protection of sensitive data, supporting security and privacy across end-user devices. Our mission is to make world-class security and privacy capabilities more accessible to innovators and communities worldwide, benefiting patients, teams, and stakeholders and creating a safer, more secure future for all. Learn more at kryptowire.com.
