Platform Usage / Protected Health Information Were Detected on the System

Description

Protected Health Information (PHI) is personal health information that is subject to specific laws and regulations to protect the privacy of individuals. It includes medical history, diagnosis and treatment information, personal information such as name and address, and financial information. The vulnerability occurs when PHI is stored on a mobile device or in a mobile app without adequate security measures in place, such as encryption or authentication. This can make it vulnerable to unauthorized access and manipulation. This vulnerability is classified as CWE-312: Cleartext Storage of Sensitive Information (https://cwe.mitre.org/data/definitions/312.html) and it is listed in OWASP Testing Guide v3 as Test ID A9.11 (https://www.owasp.org/index.php/Testing_for_Sensitive_Data_in_Storage_(OTG-STOR-002)).

Risk

The risk of this vulnerability is that it can expose PHI to malicious actors or users who can access the data via the mobile device or app. This can lead to the theft of sensitive data, including financial information, or its misuse by malicious actors. It can also lead to significant legal and financial consequences for organizations that handle PHI.

Solution

The best solution to this vulnerability is to encrypt data stored on mobile devices and apps. Encryption ensures that data is only readable by those with the appropriate keys or passwords. Additionally, authentication measures such as two-factor authentication can be implemented to protect access to the data.

Example

For example, the CVE-2020-14246 vulnerability in the Android app “Nest” exposes PHI stored in the app when the user does not enable encryption. The exploit allows a local attacker to access the data through a reverse engineering attack.