- Twenty-five percent of healthcare organizations suffered a mobile-related breach in the last year, with 67 percent of those organizations reporting the compromise as “major,” according to the latest Verizon Mobile Security Report.
In addition, of those healthcare organizations with a reported mobile breach, 41 percent said the major breach caused lasting repercussions, and 43 percent called the remediation difficult and expensive.
The report also found that healthcare providers were also much more likely to be notified of a breach by a customer or vendor than other industries, or about 53 percent versus about 38 percent across all sectors on average.
The two most significant causes of mobile-related breaches impacting health providers were user error/mistakes (53 percent) and personal use (53 percent).
“Healthcare organizations often have many staff, many devices, and lots of potentially valuable information – not just sensitive clinical data, but also things like payment card information,” the report authors wrote.
What’s interesting, the report authors wrote, is that despite the overall consensus in the security community that healthcare is a prime target for hackers, the number of mobile-related breaches “seems quite low.”
Indeed, overall one-third of companies across all sectors experienced a mobile-related breach last year – more than the health sector.
“[And so] It could be that they genuinely suffered fewer compromises that featured a mobile device; or maybe they just weren’t as good at identifying when one was involved,” the report authors wrote.
Across all sectors, 83 percent of respondents said their organization was at risk to mobile threats, with 29 percent describing the risk as significant. Further, 67 percent felt less confident about mobile device security within their organization than other device types.
Also concerning: 80 percent of respondents who said they’re responsible for securing mobile devices said they used public wi-fi to do so, even when prohibit by company policy. And 46 percent of those who sacrificed security admitted to a compromise as a result.
“Companies are increasingly reliant on mobility as the backbone of their business operations so there needs to be a priority on securing those devices,” TJ Fox, Senior Vice President, President of Verizon Business Markets, said in a statement.
“The applications on these devices now manage things like supply chain systems, point of sale systems, or customer-facing apps,” he added. “The lack of robust security measures could potentially expose corporate assets, and possibly customer data, to malicious actors.”
The report findings are similar to last year’s mobile report from Verizon, which found 35 percent of health organizations reported data loss or downtime from a mobile device security incident. Further, the report found healthcare was most likely to suffer from lagging device security.
Indeed, when the Department of Health and Human Services released its own voluntary cybersecurity guidance in the fall, security leaders pointed to the absence of a section dedicated to mobile security. When it comes to mobile security, organizations need more than anti-virus, it also includes bring-your-own-device that needs to be managed differently than those owned by the provider.
In August, NIST and the National Cybersecurity Center of Excellence released guidance around healthcare mobile device security to better protect patient data.