[BreachExchange] Malicious Apps in Healthcare Put Patient Data at Risk

[Audrey McNeil]

http://www.infosecurity-magazine.com/news/malicious-apps-healthcare-patient/

A new healthcare-focused report from Skycure has highlighted the security
risks surrounding the use of mobile devices within the medical profession.

The research found that in a single month, one in five (22%) mobile devices
used by doctors might be at high risk of malware attacks. This figure
nearly doubles to 39% after four months, suggesting the security threats
doctors face significantly increase over time.

According to Skycure, 27.79 million devices with medical apps installed
might be infected with malware, and when you consider that 80% of doctors
use mobile devices in their work with 28% storing patient data on them,
this is a worrying privacy issue.

The US Department of Health and Human Services report that more than 260
major healthcare breaches occurred in 2015, with 9% of these involving a
mobile device other than a laptop.

“Mobile is a huge attack target for cyber-criminals who are after sensitive
personal data like patient records,” said Adi Sharabani, CEO of Skycure.
“Unlike desktop and network security, mobile security is often the weakest
link in the security chain. Healthcare is one place where it is clear that
one compromised device puts more than just the device owner’s data and
identity at risk.”

Skycure says part of the problem lies with the fact that some mobile
devices that could have patient data stored on them are running outdated
systems with high-severity vulnerabilities. Similarly, 14% of mobile
devices containing such information are likely to have no passcode
protection.

“Out-of-date operating systems, particularly ones that are no longer
supported by the vendor (i.e. Microsoft) are a risk because vulnerabilities
in them that were not discovered and patched before they went out of vendor
support will never be patched, and so are a permanent invitation to
hackers” Rik Turner, Senior Analyst at Ovum, told Infosecurity.

“Systems with no or only weak password protection on them are clearly more
at risk than ones with a strong password, though to be honest, even that is
not really enough, particularly if sensitive data such as patient records
are held on the device,” he continued. “Some form of disk and/or file
encryption should be employed to supplement passwords. Quite how to raise
user awareness of this issue remains a challenge. One suspects that many
users will only truly become aware after the fact, i.e. after they have
been breached a first time.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160407/7ad72a27/attachment.html>