Mobile Devices Expanding Threats to Healthcare Data

From health apps to telemedicine, healthcare is no longer confined to the four sterile walls of a hospital or doctor’s office. But as we’ve already noted, extending healthcare into our everyday world is not without risks—and few things are riskier than mobile devices.

The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, conducted by Ponemon Institute, found that mobile device insecurity is a top security threat that worries healthcare organizations. Employee-owned mobile devices or BYOD and insecure mobile apps (eHealth) are also concerns.

Earlier this year, PricewaterhouseCoopers (PwC) released its top health industry issues report, in which handheld medicine—or “care in the palm of your hand”—was third on the list. The cybersecurity of medical technology, particularly devices, was fourth.

Mobile Risks—Where Are They Coming From?

In many regards, mobile devices are little more than a portable data breach waiting to happen. Consider how some of the basic security problems with mobile devices are threatening the privacy and security of healthcare data:

1. Employee-owned mobile devices/BYOD: Over the past few years, an employee’s work phone and personal phone have become one and the same. A report from mobile security firm Skycure found that nearly all doctors—99 percent—use mobile devices, of which many are using to share patient data, including picture messaging, WhatsApp, and SMS/texting. Sadly, some 14 percent of mobile devices that contain patient data aren’t password-protected, the study noted.

Despite the risks, healthcare organizations should still adopt BYOD policies. “Don’t focus on not allowing employees to use devices and apps,” but rather focus on visibility, Varun Kohli, vice president of marketing for Skycure, told Dark Reading. “If you don’t even know how many of your devices were attacked, how can you know where the attacks are coming from?”

2. Mobile health apps: Both clinicians and patients are using mobile health apps to deliver or receive care. Mobile health app adoption doubled in two years, to 32 percent in 2015, and 81 percent of clinicians said mobile access to medical data helps coordinate patient care, according to PwC.

But, as it happens all too often, privacy does not keep up with technology. CBS News reported on a recent study published in The Journal of the American Medical Association, where researchers searched for all available Android diabetes apps and identified 271. They installed a random subset of these apps to see if data was sent to third parties—websites not directly controlled by the developer. Six months later, the study found that:

• 60 of the apps, including some that had been installed, were unavailable.
• Of the remaining 211 apps, 81 percent of these had no privacy policies.
• Of the 41 apps with such policies more than 80 percent collected user data, and almost 50 percent shared data.
• Only four policies said they would ask users for permission to share their data.

“This study demonstrated that diabetes apps shared information with third parties, posing privacy risks because there are no federal legal protections against the sale or disclosure of data from medical apps to third parties,” the researchers wrote. “Patients might mistakenly believe that health information entered into an app is private (particularly if the app has a privacy policy), but that generally is not the case.”

The federal government is seeking to raise awareness among mobile app developers of their data protection obligations. The Federal Trade Commission (FTC) recently released an interactive tool to help app developers figure out which laws may apply based on the app’s functionality.

3. Mobile device insecurity. Mobile devices themselves are weak security points. Users may delay installing security patches and updates, fail to use passcodes, store business data on their devices, or let friends or family members (such as children) access devices used for work.

These lax security practices will not protect data in a threat-filled world. In a recent webinar, Sean Hoar, a partner with Davis Wright Tremaine in its privacy and security practice, called mobile devices a “huge attack vector.” He cited a report that said there are more than 5,000 variants of malware targeted toward smartphones to get access to data. In addition, more than 250,000 variants of ransomware are being released quarterly.

And California Attorney General Kamala Harris released a detailed data breach report that analyzed hundreds of breaches in California between 2012 and 2015. The report found that 55 percent of healthcare breaches are due to a failure to encrypt sensitive data—compared to just 16 percent of breaches in all other sectors. It’s no surprise that Harris recommends the use of strong encryption to protect personal data on mobile devices.

Jon Oberheide, CTO of Duo Security, pointed out that while cyber-attacks on mobile devices can put patient data at risk, the real threat is “improperly secured devices that may be physically lost or stolen,” he told Dark Reading in reference to the Skycure study. “Mobile malware and remote exploitation of mobile devices can be a risk to [protected health information] PHI, but those kinds of attacks are not commonly seen in the wild and are becoming less and less common as mobile devices become increasingly hardened.”

Don’t Forget Privacy in the Rush

Waiting has become a lost art. We want to buy now, see now, know now, talk now. This demand for immediacy and convenience is transforming healthcare. While no one would argue the benefits of faster and better access to healthcare services, we must remember that some things, like protecting patient data, can’t be instantly downloaded. Because while technology may move at the speed of light, solid security and privacy practices take time.