Health care practitioners are walking around with a gold mine of data on their smartphones and tablets. Mobile devices, whether physically cracked or malware hacked, sit as the greatest inside accomplice since Bonnie helped Clyde.

Cybercriminals are targeting the health care industry at an increasingly alarming rate. Even with increased mobile security, the number of attacks targeting personal health information (PHI) has increased 125 percent since 2010, according to a recent Ponemon Institute study.

What else makes health care information so valuable for cybercriminals? Basically, electronic health records yield the most intimate personal information on individuals, which criminals then flip for their own gain. For example:

  • 59 percent of the stolen information is used to acquire treatment and services.
  • 56 percent is used to obtain pharmaceuticals or medical equipment.
  • 52 percent is used to fraudulently receive benefits like Medicare and Medicaid.

When an individual’s health care data is combined with other personally identifiable information (PII), they can be packaged into full identity kits, which are sold for around $1,000 on the Dark Web.

Start Managing Your Devices, Apps and Docs Now with a free 30-day trial of MaaS360

For health care organizations, these breaches aren’t just significant hits to consumer trust; there are serious financial ramifications to the tune of $363 per stolen record on average. It’s a steep fine that makes the penalties in other industries seem like a light slap on the wrist. Individually, each infraction is far from crippling to an organization, but data is very rarely exfiltrated just one record at a time.

Mobile Raises the Odds of Health Care Data Breaches

Mobile devices have made a significant, beneficial impact on the health care industry. They have provided doctors, nurse practitioners and other health care employees with important information at their fingertips. In an industry where accessing the correct and actionable information quickly can be a matter of life and death, the instant access to data is an undeniable advantage.

While tablets and smartphones are a definitive boon to saving lives, the consumerization of IT with bring-your-own-device (BYOD) at the forefront left IT and security teams scrambling to ensure every data transmission was safe and compliant with HIPAA and other regulations.

While hacking and malware present clear and present dangers, mobile is also open to losing PHI through general misuse, devices being left behind or someone in an admin function sharing patient data on public-facing apps. Infinite ease of access to information for the right people also opens infinite possibilities for the wrong people to see this protected information.

Thankfully, this mobile threat escalation and the need for mobile security hasn’t gone completely unnoticed. About 81 percent of health care executives in KPMG’s “2015 Healthcare Cybersecurity Survey” revealed that their organizations have been compromised by a cyberattack in the past two years, with 13 percent claiming they’re targeted by external hacks once a day and 12 percent professing two or more attacks a week.

NIST and NCCoE Give Prescription for Health Care Mobile Security

Even though the awareness of cybersecurity is strong, only 53 percent of health care providers are prepared to defend against attacks, according to the KPMG study.

Recognizing the aforementioned conundrum and a growing need to ensure the tightest security without restricting productivity in the enterprise, the National Institute of Standards and Technology (NIST) and National Cybersecurity Center of Excellence (NCCoE) released a cybersecurity guide specifically aimed at providing guidance for securely mobilizing electronic health records.

One of the clear messages within the suggested framework is an enterprise mobility management (EMM) centrifuge to manage and secure the many variations of mobile devices, document types and applications — without restricting productivity.

IBM MaaS360 has been an ambulatory EMM for mobile health in health care since the first iPad started putting cumbersome PCs out to pasture. Security and productivity are delivered through the following key security and productivity characteristics:

  • Access control: The selective restriction of access to an individual or device.
  • Audit controls and monitoring: Controls recording information about events occurring within systems.
  • Device integrity: Maintaining and ensuring the accuracy and consistency of a device.
  • Person or entity authorization: The function of specifying access rights to people or entities.
  • Transmission security: The process of securing data transmissions from being infiltrated, exploited or intercepted by an individual, application or device.

Mobility, security and productivity aren’t separate conversations. To see how IBM MaaS360 can help your organization deliver reliable and secure mobile data to patients, employees and all affiliates that help save lives, start your free 30-day trial.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read