The following is a guest article by Kern Smith, Mobile Security Expert at Zimperium
The healthcare industry has been transforming radically over the past decade with the common goal of improving the way healthcare is delivered to patients. In the last few years alone, we’ve watched as healthcare organizations have quickly become mobile-powered businesses with the migration to electronic health records, patients increasingly using mobile apps to view test results, schedule appointments, contact their care provider, and even control their medical devices. Although this shift has brought many advantages such as more accurate and up-to-date patient information, quick access to patient records, improved patient outcomes, and better communication between patients and their providers, that’s not to say it has come without risks, especially to patient security.
Risks Healthcare Organizations Face in this New Mobile-First Environment
The healthcare sector has always been a prime target for cybercriminals. Healthcare organizations store an extensive archive of personal health information (PHI) and their accompanying financial records that, if stolen, can be incredibly lucrative for the attacker and especially detrimental to the victim. The stolen data is often used to commit fraud, identity and intellectual theft, espionage, blackmail, extortion, etc., and sadly, often cannot be replaced.
While apps and mobile devices are highly effective, affordable, and convenient ways for medical facilities to manage a diverse range of components throughout the patient care continuum, unfortunately, the ease of use on mobile devices and apps, as well as the confidential patient information they store, make healthcare organizations that much more vulnerable to attackers.
In March 2023, for example, Cerebral, a telehealth platform that provides online therapy and medication management to millions of users, reported a healthcare data breach that impacted more than 3.1 million individuals that stemmed from its use of tracking pixels.
Unfortunately, this is not a standalone incident. According to the HHS Office for Civil Rights (OCR) data breach portal, the healthcare sector has already experienced around 295 breaches in the first half of 2023 alone. Additionally, Zimperium’s Global Mobile Threat Report 2023 revealed a 187% year-over-year increase in the number of compromised mobile devices.
The movement to mobile has brought a whole new slue of attack methods that cybercriminals are using against healthcare organizations. Some of these include:
- Phishing – Malicious links or attachments shared via email, social media, or text message to deliver malware or obtain credentials
- Mobile Ransomware – Encrypting files on a mobile device and then requiring a ransom payment for decryption
- Man-in-the-Middle (MITM) Attacks – Attackers intercepting network communications or data transfers to steal confidential user information
It’s not too much to say that the use of mobile devices to store, access, and transmit electronic healthcare records is outpacing the privacy and security protections on those devices. The threat of data privacy risk will continue to rise in line with new attack surfaces and more advanced attack methods. Organizations should employ mobile-first strategies that can adapt to these new challenges.
How can Organizations Protect Themselves and Their Patients from Future Attacks?
As the healthcare industry continues to rely on mobile and BYOD devices as means for storing and accessing confidential patient information, one of the core steps they must take is adopting a mobile-first security strategy. To do this, there are a few key areas organizations should keep their eye on:
- Prioritize Risk Assessment – Assessing risk as close to the user or point of entry as possible is crucial to defending against attackers. A good first step organizations can take is applying mobile-powered business initiatives across all of their mobile devices and apps.
- Visibility is your Best Friend – It’s important to have complete visibility of all mobile assets and their risk levels in order to assess vulnerabilities and address them immediately. Implementing defenses that are quantifiable, auditable, and insurable is key.
- Address the Most Critical Gaps First – By embedding security across all devices and applications, applying risk-based response, and zero trust assessments of mobile endpoints, organizations can enhance their mobile detection and response strategy overall.
- Establish Autonomy – Applying systems that can automatically isolate any compromised devices and untrusted environments will lay the foundation for a strong security posture.
- Staying Ahead – Organizations should keep on top of any regulations, data sovereignty, and privacy standards that can put them at risk of compliance failures.
A strong mobile-first approach to security can help you to be proactive and immediately spot suspicious activity, prevent account takeovers, and even stop fraud before it can occur. Organizations need to make the decision to shape their business with mobile users as the priority. This approach is crucial to ensure that their “crown jewels” (i.e. data), and more importantly their patients, remain safe.
Overall, the cyber security challenges faced in healthcare are numerous and complex. Healthcare organizations possess high-value data that is highly regulated, and therefore exceedingly valuable for attackers. Combine this with the use of a variety of complex medical devices and a workforce made up of not just direct employees but a variety of contractors and third-party practitioners and it’s easy to see why healthcare organizations have become the main targets of attack. Therefore, providers must remain vigilant, exercising the best security efforts as they embrace mobile devices as part of their operations.
About Kern Smith
Kern Smith has over a decade of experience in the enterprise mobile device and application security space. He joined Zimperium in 2016 after spending 4 years at AirWatch, now VMWare Workspace One. He has helped large-scale organizations securely enable and deploy mobile devices and applications to enable their mobile-powered businesses. Smith graduated from Duke University where he earned his degree in Biomedical Engineering. He lives in Somers, NY with his wife and daughter.
