Pentesting of a Web Platform and Mobile Apps for a Remote Patient Monitoring Vendor
The Customer is the provider of an all-in-one solution for managing chronic diseases. They deliver remote patient monitoring and care management to increase patient satisfaction and enhance treatment outcomes.
As the Customer’s software collects, stores, and processes personal health information, they need to ensure that this sensitive data is protected as required by HITRUST CSF and HIPAA. To perform annual pentesting of their web portal and corresponding iOS and Android apps, the Customer was looking for a penetration testing provider with a deep expertise in the healthcare industry.
To keep a good balance of the testing coverage and speed, ScienceSoft suggested conducting penetration tests according to the gray box model. The Customer provided ScienceSoft’s team of 3 security testers with credentials for testing under different user roles (a patient, a healthcare provider, a system administrator).
To conduct pentesting of the Customer’s web platform and mobile apps, ScienceSoft’s security experts relied on OWASP Web Security Testing Guide and the NIST SP 800-115 methodology. The testing began with the automated scanning of the testing targets to detect maximum vulnerabilities. It was followed by manual validation and exploitation of vulnerabilities to analyze their potential impact.
ScienceSoft’s testers evaluated the overall security level of the platform and mobile apps as medium. Our team identified security issues in the testing targets that could potentially enable unauthorized access to the sensitive information or the IT infrastructures of the healthcare providers that use the platform. Among the security misconfigurations we discovered were insecure access control functionality, insecure app-to-server communication of the Android app, a missing HTTP Strict Transport Security policy.
ScienceSoft’s security team described the necessary corrective measures for the discovered vulnerabilities, e.g., limiting the number of attempts to register from one IP address and tailoring access to software functionality to user roles.
The pentesting project took 19 days from planning and preparation to execution and reporting.
The Customer received a detailed report describing the pentesting process, its findings and recommended corrective measures for the detected security issues. The report served as an actionable guidance for the Customer to fix the revealed vulnerabilities. A tangible proof of the Customer’s proactive approach to PHI protection, the report became a valuable contribution to the company’s compliance documentation.
After the Customer fixed the detected security issues, retesting by ScienceSoft confirmed an increased security level of the platform and mobile apps.
Technologies and Tools
Metasploit, Wireshark, Nessus, BurpSuite, Acunetix, Nmap, dirb, custom scripts (Python, C and Perl scripts to exploit vulnerabilities).