MV provides complete, end-to-end digital healthcare solutions and operates a B2B business model. There are about 2 thousand institutions using MV solutions to deliver efficiency, agility, precision and security in the provision of healthcare services.
Amongst MV’s many mobile apps, the Medic MV app is at the heart of the demand for solutions which can deliver a service which has the maximum flexibility for physicians. It facilitates access to patient information inside and outside of the point of care in order to decrease the difficulty of accessing required medical records, increase the efficiency of communication and facilitate the highest quality of medical workflow.
Getting the app and API protection wrong in the MV Medic app was not an option. The recent Brazilian Personal Data Privacy Regulation (LGPD) legislation means that our healthcare institution customers could suffer from significant fines if we didn’t meet our security goals.
Tiago Calado, Software Development Manager, MV
Before the MV Medic app was released to production and deployed, an independent third party pentest was carried out. The results of the pentest indicated that an addition security layer was needed to protect API access from scripts which impersonated genuine app traffic and which used genuine user credentials.
Even though they had already implemented many security mechanisms in the app and at the API endpoints, the sensitivity of the Protected Health Information (PHI) accessible from the apps demanded that additional security measures would need to be implemented before the MV Medic app could be deployed at scale.
The team took on board the pentesting results and set about the task of finding a suitable protection system which would ensure that only genuine and unmodified mobile app instances could access sensitive data such as PHI via the API.
MV trialed Approov, measured how much bad traffic it could reject, and deployed the new security layer. Further pentests proved that the previously identified weakness had been fixed and that production release of the mobile app could go ahead as planned.
Approov plugged an immediate API security hole which pentesting had exposed in our platform, and we calculate that the adoption of Approov will bring us a 10x RoI considering lost sales and the cost of an internal development. In fact we are so convinced by the need for leading edge security that we are now planning to add Approov into all of our healthcare apps.