This week, Hacking Healthcare™ explores how the EU’s Digital Markets Act may have a negative effect on healthcare cybersecurity. Specifically, we examine how provisions relating to mobile apps and app stores could unintentionally lead to increased risk for the EU’s mobile ecosystem and organizations that take advantage of bring your own device (BYOD) policies. We also consider actions Health-ISAC members may want to take to limit this risk.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
PDF Version:
TLP WHITE - 2.23.2024 -- Hacking Healthcare™
Text Version:
Welcome back to Hacking Healthcare™.
EU Digital Markets Act May Raise Mobile Cybersecurity Risk
The EU has pursued several significant legal and regulatory efforts with cybersecurity and privacy implications over the past few years. While many of you will be familiar with the revision to the Network and Information Security (NIS) Directive and the Cyber Resilience Act (CRA), fewer are probably as familiar with the Digital Markets Act (DMA). While not directly aimed at healthcare organizations, certain provisions within the text could negatively impact healthcare entity cybersecurity and are worth exploring in more depth.
What is the DMA?
The DMA is described by the European Commission as a “law to make the markets in the digital sector fairer and more contestable.”[i] At face value, the DMA is an attempt to level the digital playing field in ways that may help drive marketplace innovation and competition while providing the benefits of competition, such as lower prices and product/service choice, to consumers.
How does the DMA Accomplish its Goals?
The primary mechanism at work is the identification and regulation of “Gatekeepers,” which the European Commission describes as “large digital platforms providing so called core platform services, such as for example online search engines, app stores, messenger services.”[ii] In practice, the DMA is scoped in such a way that it primarily targets US technology giants like Alphabet, Amazon, Apple, Meta, and Microsoft.[iii] However, the DMA also applies to ByteDance, and the list of Gatekeepers is subject to change.
A Blow to Mobile Cybersecurity?
The Core Platform Services and Gatekeepers ultimately puts the Apple App Store, Google Play Store, Google Android operating system, and Apple iOS operating system in scope for coverage by the DMA. This means that Apple and Google, whose mobile phones, operating systems, and app stores dominate the mobile market, must adhere to the various applicable provisions within the DMA.
For our purposes, we are going to focus on two provisions that seem all but certain to negatively impact the mobile cybersecurity ecosystem. Under Article 6, “Obligations for gatekeepers susceptible of being further specified under Article 8,” are the following provisions:[iv]
- – 6.4. The Gatekeeper shall allow and technically enable the installation and effective use of third-party software applications or software application stores using, or interoperating with, its operating system and allow those software applications or software application stores to be accessed by means other than the relevant core platform services of that Gatekeeper.
- – 6.7 The Gatekeeper shall allow providers of services and providers of hardware, free of charge, effective interoperability with, and access for the purposes of interoperability to, the same hardware and software features accessed or controlled via the operating system or virtual assistant listed in the designation decision pursuant to Article 3(9) as are available to services or hardware provided by the gatekeeper.
These provisions essentially require Gatekeepers like Google and Apple to open up their mobile ecosystem to more easily allow mobile users to access third-party apps and app stores. They also require that third-party apps be able to access the same kinds of hardware and software features that might otherwise be reserved for trusted first-party apps.
Let’s analyze the security ramifications of these provisions, put them in a broader policy context, and make some recommendations for how Health-ISAC members may be able to mitigate some level of risk created by these DMA provisions.
Action & Analysis
**Included with Health-ISAC Membership**
Congress
Tuesday, February 20
No relevant hearings
Wednesday, February 21
No relevant meetings
Thursday, February 22
No relevant meetings
International Hearings/Meetings
No relevant meetings
EU
[i] https://digital-markets-act.ec.europa.eu/about-dma_en
[ii] https://digital-markets-act.ec.europa.eu/index_en
[iii] https://digital-markets-act.ec.europa.eu/gatekeepers_en
[iv] https://eur-lex.europa.eu/eli/reg/2022/1925
[v] https://play.google/intl/en_au/developer-content-policy/
[vi] https://developer.apple.com/app-store/review/guidelines/
[vii] https://arxiv.org/pdf/2010.10088.pdf
[viii] https://eur-lex.europa.eu/eli/reg/2022/1925
[ix] https://www.apple.com/newsroom/2024/01/apple-announces-changes-to-ios-safari-and-the-app-store-in-the-european-union/
[x] https://www.apple.com/newsroom/2024/01/apple-announces-changes-to-ios-safari-and-the-app-store-in-the-european-union/
[xi] https://www.pymnts.com/news/regulation/2024/competitors-say-apples-plans-dont-comply-with-digital-markets-act/
[xii] https://arstechnica.com/security/2024/02/a-password-manager-lastpass-calls-fraudulent-booted-from-app-store/