Eighty percent of physicians use their mobile devices to assist in their day-to-day practice and 28 percent store patient data on their mobile devices, yet these devices can be prime targets for cyber criminals, according to a new Mobile Threat Intelligence Report.
The report, released by Skycure, found that in a single month, one in five (22 percent) of mobile devices will be at risk of a network attack. This figure nearly doubles (to 39 percent) after four months, which signifies that the percentage of doctors who use mobile devices to assist their day-to-day practice are exposed to network threats that significantly increase over time, according to the report.
In 2013, 8 percent of doctors used mobile devices to manage in-patient data, and that number grew to 31 percent by 2014, according to a previous Black Book Market Research report. Today, 70 percent of doctors use mobile devices to manage in-patient data.
"The mobile phone is the best surveillance device in history,” Jim Routh, CSO at Aetna, said in a statement. “Each device is a potential attack target for personal data, company data, and, in the healthcare industry, the private medical and health information of patients and customers. It’s imperative that both mobile users and their employers understand the risk and how to stay safe."
In addition to network threats, mobile devices continue to be plagued by malware. The Mobile Threat Intelligence Report, which is based on worldwide mobile data from Skycure and third-party sources, reports that more than four percent of all Android devices were found to be infected with malicious apps. The report also found that 27.79 million devices with medical apps also potentially have at least one high-risk malware, yet 65 percent of doctors share patient data via SMS text message and 33 percent via Whatsapp.
The U.S. Department of Health and Human Services has reported that were more than 260 major healthcare breaches in 2015, and nine percent of those breaches involved a mobile device other than a laptop.
Within healthcare, the report cites statistics from other sources that 43 percent of doctors use their mobile devices as the primary screen to access patient data—53 percent use tablets and 37 percent using phones. And, the Skycure report found that, within healthcare, 11 percent of mobile devices are running an outdated operating system with high-severity vulnerabilities and might have stored patient data on them. In addition, 14 percent of mobile devices containing patient data likely have no passcode to protect them.
More than two in every hundred mobile devices in every industry are high risk, according to the Skycure Mobile Threat Risk Score—meaning they’ve already been compromised or are currently under attack, the report states. Nearly 44 percent of mobile devices are medium to high risk. The Skycure risk score takes into account recent threats the device was exposed to, device vulnerabilities and configuration, and user behavior, the report stated
In a blog post about the research, Abi Sharabani, CEO of Skycure, wrote, “Some healthcare leaders do not fully understand the stark differences between protecting traditional endpoints from mobile endpoints. In short, smart devices are seen by the hacker community as the most vulnerable of gateways to sensitive data (HIPAA-protected patient data) for multiple reasons.” According to Sharabani, those reasons include:
- Traditional cyber security cannot travel with bring-your-own-device (BYOD), company-issued personal enabled (COPE) and choose your own device (CYOD) mobile users beyond the secure IT perimeter–exposing healthcare practitioners to malicious Wi-Fi and cellular network-based attacks and other advanced cyber threats.
- Hackers can trick healthcare practitioners into risky user behavior (e.g., sending HIPAA patient data to a fake physician profile actually run by a hacker) that exposes passwords, insurance information and other sensitive data without detection by traditional cyber security.
- Extreme mobile security measures such as containerization and continuous VPN tunneling are not acceptable with BYOD, COPE and CYOD users due to infringement on privacy and interruption of productivity and collaboration.
There were a few bright spots in the report’s assessment of mobile device security, such as more users taking steps to secure their mobile devices. The report found that the percentage of devices with passcodes enabled rose slightly to 52 percent in the last quarter of 2015 from 48 percent in the third quarter of 2015. “This may be due to new devices activated over the December holidays featuring biometric passcodes. Unfortunately, it still leaves nearly half of devices completely unprotected,” the report authors stated.
The report also found that users of iPhones and iPads are more protected because they are much more likely to have the most current version of their device’s operating system. At the end of 2015, 88 percent of iOS users had upgraded iOS 9, the most recent major version of the Apple mobile operating system. By contrast, only 3 percent of Android users were using Android 6.0 or “Marshmallow” at the end of the year. That leaves 97 percent of Android devices vulnerable to exploits targeting older versions, according to the report.