Addressing Mobile Device Security Risks in Healthcare

August 02, 2022 - Mobile device security risks have become a more prominent threat along with the rise of remote work. In fact, nearly half of more than 600 security professionals surveyed by Verizon in its new Mobile Security Index (MSI) report said that their organizations had suffered a compromise involving a mobile device in the past 12 months.  

Almost 80 percent of respondents across all industries agreed that recent changes in working practices had negatively impacted their organization’s cybersecurity. In addition, 58 percent of respondents said that their organizations had more users using mobile devices than 12 months ago.

“With the volume of devices a modern enterprise relies on, keeping them all up to date can seem like a Sisyphean task,” the report noted.

“With more and more devices, the danger of lost or missing devices grows. But it’s not just the quantity of devices that’s growing, the variety is growing too. Today there are smartphones, laptops, tablets, hybrids (like Microsoft Surface), Chromebooks, wearables and a seemingly endless range of connected devices.”

Nearly half of healthcare respondents that suffered a mobile-related security breach said that device-based threats were a contributing factor. Additionally, 52 percent of all respondents that suffered a mobile-related security breach said that network threats were a contributing factor.

“Insecure networks remain a serious threat to mobile device security,” the report stated. “Attackers can intercept traffic through man-in-the-middle (MitM) attacks or lure employees into using rogue Wi-Fi hotspots or access points.”

The report also pointed at public and home Wi-Fi policies, improper IoT device security strategies, poor app permissions, and the prominence of ransomware and malware as threats to mobile device security.

Mitigating Mobile Device Security Risks

The Office of the National Coordinator for Health Information Technology (ONC) provided a multitude of tips for maintaining mobile device security in healthcare on its website.

ONC recommended that organizations require passwords or other user authentication along with encryption solutions to protect health data.

Healthcare providers and professionals should learn and understand their organization’s policies and procedures on bring your own device (BYOD), mobile device registration, backup information stored on mobile devices, remote wiping or disabling, and mobile device information storage, ONC suggested.

In addition, ONC recommended that users avoid allowing the use of their mobile devices by unauthorized users, storing or sending unencrypted health information with their mobile devices, and downloading apps without verifying that they are from a trusted source. Additionally, it is crucial that users are educated on proper password hygiene.

Verizon suggested that users follow the acronym “LUCID” to create strong passwords: Long, Unique, Complex, Interpersonal, and Different.

“Remember that poor password practices at home can be a threat to the business. If a user uses the same password across multiple accounts, this could increase the risk of a successful credential stuffing attack,” the report explained.

These tips may seem basic, but poor password hygiene, especially on mobile devices, can pose significant security risks. A December 2021 report by GoodFirms revealed that 63 percent of online users change their passwords only when prompted, and almost half of users keep the same password for multiple sites or applications. Over half of users also reported sharing their login and password credentials with colleagues, family members, and friends.

When asked whether they were optimistic or pessimistic about the future of mobile device security, every respondent to the Verizon survey said that they were optimistic. Respondents cited growing awareness of the issue among business leaders, advances in technology, and improved regulations as reasons for their optimism.

“As cybersecurity becomes more high-profile, it is receiving more attention from consumers, business leaders and legislators,” the report noted.

“This increased attention is driving companies to take the issue more seriously and legislators to improve guidance for organizations. In the past, many cybersecurity regulations were criticized for being too ‘outcome-based’ and offering little clear guidance. Our panel of experts said that they see that changing.”

Despite this optimism, 66 percent of total respondents said that they had faced pressure to sacrifice mobile device security “to get the job done.”

Even as security technologies advance and more business leaders turn their attention to cybersecurity, organizations still need to further prioritize mobile device security, and security in general, in order to keep data safe amid today’s threat landscape.