Malicious Apps in Healthcare Put Patient Data at Risk
A new healthcare-focused report from Skycure has highlighted the security risks surrounding the use of mobile devices within the medical profession.
The research found that in a single month, one in five (22%) mobile devices used by doctors might be at high risk of malware attacks. This figure nearly doubles to 39% after four months, suggesting the security threats doctors face significantly increase over time.
According to Skycure, 27.79 million devices with medical apps installed might be infected with malware, and when you consider that 80% of doctors use mobile devices in their work with 28% storing patient data on them, this is a worrying privacy issue.
The US Department of Health and Human Services report that more than 260 major healthcare breaches occurred in 2015, with 9% of these involving a mobile device other than a laptop.
“Mobile is a huge attack target for cyber-criminals who are after sensitive personal data like patient records,” said Adi Sharabani, CEO of Skycure. “Unlike desktop and network security, mobile security is often the weakest link in the security chain. Healthcare is one place where it is clear that one compromised device puts more than just the device owner’s data and identity at risk.”
Skycure says part of the problem lies with the fact that some mobile devices that could have patient data stored on them are running outdated systems with high-severity vulnerabilities. Similarly, 14% of mobile devices containing such information are likely to have no passcode protection.
“Out-of-date operating systems, particularly ones that are no longer supported by the vendor (i.e. Microsoft) are a risk because vulnerabilities in them that were not discovered and patched before they went out of vendor support will never be patched, and so are a permanent invitation to hackers” Rik Turner, Senior Analyst at Ovum, told Infosecurity.
“Systems with no or only weak password protection on them are clearly more at risk than ones with a strong password, though to be honest, even that is not really enough, particularly if sensitive data such as patient records are held on the device,” he continued. “Some form of disk and/or file encryption should be employed to supplement passwords. Quite how to raise user awareness of this issue remains a challenge. One suspects that many users will only truly become aware after the fact, i.e. after they have been breached a first time.”
Source: Information Security Magazine