The U.S. National Institute of Standards and Technology (NIST) has published two data-security focused documents in as many months.
In June 2018, NIST published guidance on assessing requirements for securing unclassified information (NIST Special Publication 800-171A Assessing Security Requirements for Controlled Unclassified Information).
In July 2018, SPECIAL PUBLICATION 1800-1 Securing Electronic Health Records on Mobile Devices was published offering a practical guide to meeting the specialized security and privacy obligations that come with the management of health records on mobile devices.
Not surprisingly – in fact, reassuringly – both include increasingly prescriptive obligations for application developers. In particular, the recommendations and guidelines continue to stress the importance of including anti-tamper and rooted device detection and response controls – core features of application hardening solutions (like PreEmptive’s Dotfuscator and DashO). A few trends are worth noting.
The referenced NIST documents are long – and even longer if you also review all if the supporting documents. For illustration, here are a few excerpts that highlight these trends (italics are my added comments).
800-171A Assessing Security Requirement
3 .13.13 SECURITY REQUIREMENT Control and monitor the use of mobile code. (downloading unauthorized code or running tampered code)
ASSESSMENT OBJECTIVE Determine if:
3.13.13[a] use of mobile code is controlled.
3.13.13[b] use of mobile code is monitored.
3.14.4 SECURITY REQUIREMENT Update malicious code protection mechanisms when new releases are available. (bad actors invest in evading root detection and other detective controls – continuous improvement is required here in much the same fashion as anti-virus software)
ASSESSMENT OBJECTIVE Determine if malicious code protection mechanisms are updated when new releases are available. (included later is the obligation to respond – both in real-time and in logging when detected)
1800 1a Executive Summary: Securing Electronic Health Records on Mobile Devices
Our risk assessments focused on identifying threats that might lead to: (they focus on exploits that lead to operational, financial and legal jeopardy)
Based on our risk assessment, the major threats to confidentiality, integrity, and availability with respect to EHRs using mobility are:
Do not be lulled into complacency. Protect and secure your Applications. Even if you don’t do business with the US federal government or don’t need to meet HIPAA requirements or aren’t focused on mobile apps – these obligations are crystallizing across financial, supply chain, and general risk frameworks with each passing day. Every development organization must have a well-documented set of controls and processes to prevent, detect, and respond to runtime attacks and environmental compromises. Are you prepared to demonstrate your viability to business owners, regulators, investors or your customers?
Our implementation of anti-tamper, anti-debug, rooted device, and other real-time checks have been focused on these exact demands. Want to know more? Contact sales (or if you’re a client – support) – or review these blogs/articles
Resources
Other NIST Publications