SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
BYOD and mobile devices heighten healthcare cyber risks
Fri, 15th Sep 2023

The healthcare industry has been transforming radically over the past decade with the common goal of improving the way healthcare is delivered to patients.

In recent years, we've watched as healthcare organisations have quickly become mobile-powered businesses with the migration to electronic health records, patients are increasingly using mobile apps to view test results, schedule appointments, contact their care provider, and even control their medical devices.

Although this shift has brought many advantages, such as more accurate and up-to-date patient information, quick access to patient records, improved patient outcomes and better communication between patients and their providers, it has come with risks, especially to patient security.

The healthcare sector has always been a prime target for cybercriminals. Healthcare organisations store an extensive archive of personal health information (PHI) and their accompanying financial records that, if stolen, can be incredibly lucrative for the attacker and especially detrimental to the victim.

The stolen data is often used to commit fraud, identity and intellectual theft, espionage, blackmail, extortion and more. Sadly, often it cannot be replaced.

While apps and mobile devices are highly effective, affordable and convenient ways for medical facilities to manage a diverse range of components throughout the patient care continuum, unfortunately, the ease of use on mobile devices and apps, as well as the confidential patient information they store, make healthcare organisations that much more vulnerable to attackers.

In March 2023, for example, Cerebral, a telehealth platform that provides online therapy and medication management to millions of users, reported a healthcare data breach that impacted more than 3.1 million individuals that stemmed from its use of tracking pixels.

Unfortunately, this is not a standalone incident. According to the HHS Office for Civil Rights (OCR) data breach portal, the healthcare sector has already experienced around 295 breaches in the first half of 2023 alone. Additionally, my company's Global Mobile Threat Report 2023 revealed a 187% year-over-year increase in the number of compromised mobile devices.

The movement to mobile has brought a whole new slue of attack methods that cybercriminals are using against healthcare organisations. Some of these include:

  • Phishing - Malicious links or attachments shared via email, social media or text message to deliver malware or obtain credentials.
  • Mobile Ransomware - Encrypting files on a mobile device and then requiring a ransom payment for decryption.
  • Man-in-the-middle (MITM) attacks - Attackers intercept network communications or data transfers to steal confidential user information.

It's not too much to say that the use of mobile devices to store, access and transmit electronic healthcare records is outpacing the privacy and security protections on those devices. The threat of data privacy risk will continue to rise in line with new attack surfaces and more advanced attack methods. Organisations should employ mobile-first strategies that can adapt to these new challenges.

How can organisations protect themselves and their patients from future attacks? As the healthcare industry continues to rely on mobile and BYOD devices as means for storing and accessing confidential patient information, one of the core steps they must take is adopting a mobile-first security strategy. To do this, there are a few key areas organisations should keep their eye on:

1. Prioritise risk assessment - Assessing risk as close to the user or point of entry as possible is crucial to defending against attackers. A good first step organisations can take is applying mobile-powered business initiatives across all of their mobile devices and apps.

2. Visibility is your best friend - It's important to have complete visibility of all mobile assets and their risk levels in order to assess vulnerabilities and address them immediately. Implementing defences that are quantifiable, auditable, and insurable is key.

3. Address the most critical gaps first - By embedding security across all devices and applications applying risk-based response and zero trust assessments of mobile endpoints, organisations can enhance their mobile detection and response strategy overall.

4. Establish autonomy - Applying systems that can automatically isolate any compromised devices and untrusted environments will lay the foundation for a strong security posture.

5. Staying ahead - Organisations should keep on top of any regulations, data sovereignty and privacy standards that can put them at risk of compliance failures.

A strong mobile-first approach to security can help you to be proactive and immediately spot suspicious activity, prevent account takeovers, and even stop fraud before it can occur. Organisations need to make the decision to shape their business with mobile users as the priority. This approach is crucial to ensure that their 'crown jewels' (i.e. data) and, more importantly, their patients remain safe.

Overall, the cyber security challenges faced in healthcare are numerous and complex. Healthcare organisations possess high-value data that is highly regulated and, therefore, exceedingly valuable for attackers.

Combine this with the use of a variety of complex medical devices and a workforce made up of not just direct employees but a variety of contractors and third-party practitioners, and it's easy to see why healthcare organisations have become the main targets of attack. Therefore, providers must remain vigilant, exercising the best security efforts as they embrace mobile devices as part of their operations.