Today, mobile devices are transforming healthcare delivery by increasing efficiency, streamlining workflows, and improving patient outcomes. But when healthcare organizations allow employees to use their own mobile devices for work-related tasks, they may be inadvertently increasing the risk of a hacker attack.
Employee-owned devices, or BYOD, often lack the security controls and data protections that healthcare organizations need. As a result, they’re more likely to threaten the confidentiality of patient data and other sensitive information. That puts providers at risk of steep regulatory penalties, business interruptions, reputational damage, as well as other financial losses. In fact, the average cost of a data breach in healthcare has soared to over $10 million.
Of course, maintaining HIPAA compliance is the number one reason to avoid personal devices, but it’s far from the only consideration. See our five reasons why healthcare organizations need the ability to control and secure mobile devices.
1. Healthcare Has Unique Security Vulnerabilities
Hospitals and other providers are high-value targets for hackers. Healthcare providers maintain tons of sensitive data, including medical records that are lucrative on the dark web.
Hackers also know that healthcare organizations must provide continuous care, so they may be more motivated to pay ransomware demands quickly to resume operations. In addition, healthcare organizations take longer, on average, to discover a breach — which gives hackers more time to infiltrate their systems and inflict damage.
Beyond that, hackers have increasingly set their sights on mobile devices. Mobile malware is a growing problem, and it’s worse among BYOD phones and tablets.
Unsecured devices are vulnerable to multiple threats, including phishing, spyware, malware-infected text messages, compromised apps, and data leakage. That’s on top of the threat posed by lost or stolen devices; when those are BYOD devices, organizations may have no way to track them down or remotely lock or wipe their contents.
2. Personal Devices Lack Strong Security Controls
Businesses might wonder if they can apply proper levels of security to employees’ devices. The short answer is no — employers will never be able to secure, control, monitor, and manage personal devices to the same degree they can company-owned devices.
For example, in peer-reviewed 2020 data of U.S. healthcare organizations, 11% of doctor-owned personal devices that stored patient data had highly vulnerable operating systems that were either outdated or jailbroken/rooted. In other words, users had circumvented security controls to gain full access to device features.
When organizations own mobile devices, they can pre-install security settings, enforce security policies, deploy access and identity management controls, and control what employees can and cannot do on the devices. These controls range from ensuring that devices have proper software updates and security patches to limiting users’ ability to copy and share information on specific apps.
3. Users’ Passwords and Authentication Methods Are Inconsistent
The 2020 data also found that 14% of the devices owned by doctors contained some form of patient data yet had no device locking or authentication mechanism to protect sensitive information. Passwords, pattern locks, and biometric authentication provide an additional layer of protection to ensure that only authorized users can access a device. Again, that’s a requirement that healthcare organizations can’t enforce on employees’ personal devices.
4. Mobile Apps Present Numerous Security Risks
Mobile apps are a primary source of security vulnerabilities. Apps may be outright fraudulent, designed to trick users into thinking they are legitimate while infecting the device with a virus. Other apps have poor security, a wide-ranging problem that can include weak encryption algorithms, insecure data storage, configuration flaws, and numerous other issues.
One recent study, which analyzed 30 healthcare apps used by providers to review patient charts and schedules, found that each one was vulnerable to cyber-attacks. For instance, 50% of the apps permitted unauthorized access to patient records, including pathology reports, X-rays, and other sensitive information.
Meanwhile, this study also found that doctors used apps to share patient data: 46% shared data through picture messaging, 65% through SMS, and 33% via WhatsApp. That puts data at risk of access by doctors’ colleagues or even family members, while also making data vulnerable to any security liabilities in the apps.
5. Personal Devices Raise Network Security Concerns
BYOD devices can also be susceptible to network attacks, especially when they connect to public, unsecured Wi-Fi. This scenario is much more likely with BYOD since users frequently use their devices in public spaces, even when performing work-related tasks.
Improperly secured BYOD devices can also compromise healthcare organizations’ internal IT networks. Every device that connects to the network is a potential risk, particularly if those devices lack security updates and aren’t subject to stringent security controls.
Having device ownership increases organizations’ monitoring capabilities: They can see exactly which devices are on the network, whether they’re up-to-date, and which apps are installed. That helps to protect networks by preventing unauthorized and unsafe devices from gaining access.
The Bottom Line
A desire to strengthen security is one of the primary reasons healthcare organizations issue mobile devices to employees and, in many cases, adopt a mobile device management solution.
Ownership of employees’ devices yields all the benefits of mobility — from efficiency to ease of collaboration — while minimizing the potential downsides. When organizations can establish and enforce appropriate security policies, processes, and tools on mobile devices, they’ve taken a massive step toward reducing cybersecurity and business risks.
Curious about the benefits of managed mobility services for healthcare? Get our guide to learn how to leverage the efficiencies of mobile devices without burdening your IT staff, incurring unnecessary costs, or risking confidential patient data.