News Feature | April 12, 2016

The Doctor Will Leak Your Data Now

By Christine Kern, contributing writer

FHIR Could Change How Health Data Is Transferred

More than 27 million Android devices with medical apps likely to have high-risk malware installed.

Medical mobile devices are not as secure as one might think, despite HIPAA and other regulations surrounding the use and storage of confidential personal data. This is among the findings of the second Mobile Threat Intelligence report from Skycure.

The report found doctors who use mobile devices in their daily practice are exposed to network threats that significantly increase over time. In just one month, 22 percent of mobile devices will be at risk of a network attack and that figure spikes to 39 percent after four months.

Breaches and other malicious cyber attacks are a serious threat to the healthcare industry, and protected health information (PHI) is a valuable commodity for cyber criminals. According to the U.S. Department of Health and Human Services, more than 260 major healthcare breaches occurred in 2015. Of those breaches, 9 percent involved a mobile device other than a laptop. And since 80 percent of doctors use their mobile devices to assist in their daily practice, with 28 percent storing patient data on their mobile device, these devices are prime targets for cyber criminals.

It’s not just network threats that are the problem: mobile devices continue to be plagued by malware. More than 4 percent of all Android devices were found to be infected with malicious apps. The report also found 27.79 million devices with medical apps installed might also be infected with a high-risk malware.

“The mobile phone is the best surveillance device in history,” said Jim Routh, CSO, Aetna. “Each device is a potential attack target for personal data, company data, and, in the healthcare industry, the private medical and health information of patients and customers. It’s imperative that both mobile users and their employers understand the risk and how to stay safe.”

The Skycure report also found:

  • 11 percent of mobile devices running an outdated operating system with high-severity vulnerabilities might have stored patient data on them
  • 14 percent of mobile devices containing patient data likely have no passcode to protect them
  • 27.79 million devices with medical apps installed might also be infected with high-risk malware

“Mobile is a huge attack target for cyber criminals who are after sensitive personal data like patient records,” said Adi Sharabani, CEO of Skycure. “Unlike desktop and network security, mobile security is often the weakest link in the security chain. Healthcare is one place where it is clear that one compromised device puts more than just the device owner’s data and identity at risk.”

On the positive side of the mobile landscape, the report also found 52 percent of users have enabled passcodes, including biometrics, which is a slight increase. And iPhone and iPad users are better protected than Android users as they are more likely to have the most current version of their device’s operating systems.

Among the vulnerabilities that persist for Android users are the Shared Cookie Store Bug, a vulnerability discovered by Skycure researchers several years ago yet only addressed in the most recent version of iOS, and Accessibility Clickjacking, a new type of Android malware that tricks users into giving away admin access to their devices and affects 65 percent of Android devices — or half a billion mobile devices.