Securing Mobile Healthcare Apps

Eko's suite of machine learning algorithms equips providers and health systems with a powerful new ally for detecting heart disease. Eko’s device and mobile app helps record, playback, live stream, and share patient body sounds and ECG. Eko connects your stethoscope to the cloud for an advanced, HIPAA-compliant auscultation experience.

Eko Health needed an “always-on” solution to prevent application security data breaches. While manual pen-tests, security tools, and open source filled some gaps, it wasn’t designed to empower developers and DevOps teams full time within the CI pipeline. Initially, the team was seeking a vendor to work with on mobile security. Recent survey data from TechRepublic found that 67 percent of IT professionals believe current mobile defenses aren’t keeping pace with new threats. This is crucial since 83 percent of those surveyed also said their own companies are at risk of mobile attacks. At Eko Health, they were looking to get ahead of threats, but also find a solution that is easy to integrate, provides quick results, and is constantly innovating.

The team spent time on building their own solutions, as well as open source options. They lost cycles and time trying to make it function properly, accurately, as well as scale with the business. Ultimately, the slow results, cumbersome tasks, and loss of productivity led them to seek more fast discovery and autoremediation. In 2020, the challenge and demands of managing moving targets in healthcare, as well as reducing re-work for developers led them to Data Theorem.

While working with Data Theorem to build out their mobile security strategy, the Eko Health team was very interested in taking a holistic approach to their application security stack. The more they learned about API, single page web app, and cloud vulnerabilities and how they ultimately affect mobile security posture. The team started with a short trial period to test out the product and discover potential vulnerabilities. A clear win for the team was seeing the seamless integrations in action. “Previous mobile security scanners would generate a lot of false positives, we use Data Theorem to provide us actionable vulnerabilities that we feel good about fixing," stated Daniel Barbosa of the Machine Learning Group. Now that the Eko Health team is a customer, their security results are actionable and used by the web, mobile and IT development teams.

Data Theorem’s ASM and full stack platform helped Eko Health protect sensitive data (Non-public Private Information), confidential data (Personally Identifiable Information), and regulated data (PCI, GDPR) within web, mobile,API, and cloud applications. Furthermore, by baking the platform into the DevSecOps pipeline, Data Theorem’s Secure Code and Auto-Remediation scripts, leveraged via Jenkins, App Center, JIRA, Slack, Teams, AWS, GCP, and Azure, ensure security coverage 24/7/365.

Zero Approach

Data Theorem “requires”, as much as an external vendor can, that all customers have zero P1 security issues, App Store/Google Play blockers, and 3rd Party SDK/ OSS issues. Data Theorem scans for critical (P1) security issues on a daily basis, allowing Eko to know about any showstoppers in its pre-production environment, but also knowledge about “zero-days” in the wild on production apps.

Scanning 3rd party SDK & Open Source Libraries

Data Theorem’s ability to scan 3rd party SDK & Open Source libraries allowed Eko to shed light on an attack surface that would otherwise be a blind spot. While Eko has several processes to ensure its code is written securely, it cannot provide the same function to 3rd party SDKs or libraries embedded in a mobile app. Data Theorem was the only company evaluated that also offers “Secure Code” directly to developers to help fix identified security issues. Data Theorem’s ability to scan 3rd party SDK & Open Source libraries allowed Eko to shed light on an attack surface that would otherwise be a blind spot. While Eko has several processes to ensure its code is written securely, it cannot provide the same function to 3rd party SDKs or libraries embedded in a mobile app.

Secure Code for Developers

Data Theorem was the only company that also offers “Secure Code” directly to developers to help fix identified security issues. This enables Data Theorem's customers to streamline the amount of time and resources required to fix an issue. Data Theorem can continuously monitor, scan, and fix mobile application security - at scale - with a solution that has a negligible impact on speed and performance.