Skip to content Skip to navigation

Mobile Device Security Often the Weakest Link in Healthcare Security Chain, Study Finds

April 5, 2016
by Heather Landi
| Reprints
Click To View Gallery

Eighty percent of physicians use their mobile devices to assist in their day-to-day practice and 28 percent store patient data on their mobile devices, yet these devices can be prime targets for cyber criminals, according to a new Mobile Threat Intelligence Report.

The report, released by Skycure, found that in a single month, one in five (22 percent) of mobile devices will be at risk of a network attack. This figure nearly doubles (to 39 percent) after four months, which signifies that the percentage of doctors who use mobile devices to assist their day-to-day practice are exposed to network threats that significantly increase over time, according to the report.

In 2013, 8 percent of doctors used mobile devices to manage in-patient data, and that number grew to 31 percent by 2014, according to a previous Black Book Market Research report. Today, 70 percent of doctors use mobile devices to manage in-patient data.

"The mobile phone is the best surveillance device in history,” Jim Routh, CSO at Aetna, said in a statement. “Each device is a potential attack target for personal data, company data, and, in the healthcare industry, the private medical and health information of patients and customers. It’s imperative that both mobile users and their employers understand the risk and how to stay safe."

In addition to network threats, mobile devices continue to be plagued by malware. The Mobile Threat Intelligence Report, which is based on worldwide mobile data from Skycure and third-party sources, reports that more than four percent of all Android devices were found to be infected with malicious apps. The report also found that 27.79 million devices with medical apps also potentially have at least one high-risk malware, yet 65 percent of doctors share patient data via SMS text message and 33 percent via Whatsapp.

The U.S. Department of Health and Human Services has reported that were more than 260 major healthcare breaches in 2015, and nine percent of those breaches involved a mobile device other than a laptop.

Within healthcare, the report cites statistics from other sources that 43 percent of doctors use their mobile devices as the primary screen to access patient data—53 percent use tablets and 37 percent using phones. And, the Skycure report found that, within healthcare, 11 percent of mobile devices are running an outdated operating system with high-severity vulnerabilities and might have stored patient data on them. In addition, 14 percent of mobile devices containing patient data likely have no passcode to protect them.

More than two in every hundred mobile devices in every industry are high risk, according to the Skycure Mobile Threat Risk Score—meaning they’ve already been compromised or are currently under attack, the report states. Nearly 44 percent of mobile devices are medium to high risk. The Skycure risk score takes into account recent threats the device was exposed to, device vulnerabilities and configuration, and user behavior, the report stated

In a blog post about the research, Abi Sharabani, CEO of Skycure, wrote, “Some healthcare leaders do not fully understand the stark differences between protecting traditional endpoints from mobile endpoints. In short, smart devices are seen by the hacker community as the most vulnerable of gateways to sensitive data (HIPAA-protected patient data) for multiple reasons.” According to Sharabani, those reasons include:

  • Traditional cyber security cannot travel with bring-your-own-device (BYOD), company-issued personal enabled (COPE) and choose your own device (CYOD) mobile users beyond the secure IT perimeter–exposing healthcare practitioners to malicious Wi-Fi and cellular network-based attacks and other advanced cyber threats.
  • Hackers can trick healthcare practitioners into risky user behavior (e.g., sending HIPAA patient data to a fake physician profile actually run by a hacker) that exposes passwords, insurance information and other sensitive data without detection by traditional cyber security.
  • Extreme mobile security measures such as containerization and continuous VPN tunneling are not acceptable with BYOD, COPE and CYOD users due to infringement on privacy and interruption of productivity and collaboration.

There were a few bright spots in the report’s assessment of mobile device security, such as more users taking steps to secure their mobile devices. The report found that the percentage of devices with passcodes enabled rose slightly to 52 percent in the last quarter of 2015 from 48 percent in the third quarter of 2015. “This may be due to new devices activated over the December holidays featuring biometric passcodes. Unfortunately, it still leaves nearly half of devices completely unprotected,” the report authors stated.

The report also found that users of iPhones and iPads are more protected because they are much more likely to have the most current version of their device’s operating system. At the end of 2015, 88 percent of iOS users had upgraded iOS 9, the most recent major version of the Apple mobile operating system. By contrast, only 3 percent of Android users were using Android 6.0 or “Marshmallow” at the end of the year. That leaves 97 percent of Android devices vulnerable to exploits targeting older versions, according to the report.





Vocera to Acquire Extension Healthcare for $55M

Vocera Communications, the San Jose, Calif.-based healthcare communications company, has announced that it has acquired Extension Healthcare for approximately $55 million in an all-cash transaction.

Reports: Issues Arise in 21st Century Cures Act; Delay Possible

The 21st Century Cures Act could be in danger of not passing this year following a statement from a coalition of liberal groups calling into question the bill’s ability to address high drug prices.

ONC National Coordinator Gets Live Look at Carequality Data Exchange

Officials from Carequality have stated that there are now more than 150,000 clinicians across 11,000 clinics and 500 hospitals live on its network. These participants are also able to share health data records with one another, regardless of technology vendor.

American Red Cross, Teladoc to Provide Telehealth Services to Disaster Victims

The American Red Cross announced a partnership with Teladoc to deliver remote medical care to communities in the United States that are significantly affected by disasters.

Report: The Business of Cybercrime in Healthcare is Growing

While stolen financial data still has a higher market value than stolen medical records, as financial data can be monetized faster, there are indications that there is ongoing development of a market for stolen medical data, according to an Intel Security McAfee Labs report.

Phishing Attack at Baystate Health Potentially Exposes Data of 13K Patients

A phishing scam at Baystate Health in Springfield, Mass. has potentially exposed the personal data of 13,000 patients, according to a privacy statement from the patient care organization and a report from MassLive.