37% Health Orgs Shirk Mobile Security for Efficiency, Increasing Risk

By Jessica Davis

Verizon’s 2020 Mobile Security Index shows two-fifths of healthcare organizations faced a mobile device compromise last year, with some admitting they sacrifice security “to get the job done,” thus increasing risk. Verizon recently released its third annual Mobile Security Index, which revealed 37 percent of healthcare organizations admit to sacrificing mobile security to “get the job done” and have drastically increased the risk of compromise in the process.

Researchers from Verizon surveyed 876 professionals tasked with buying, securing, and managing IoT and mobile devices, including those from healthcare. The goal was to provide insights into the mobile device threat landscape and ways organizations are, or are not, protecting data and key systems. Overall, organizations use an average of 1,300 apps and cloud services, and nearly all (95 percent) of those are unmanaged without IT administration rights or visibility. According to the report, awareness and concern about mobile device security has increased across the sector, but not all leaders are ensuring the effectiveness of their security. Thirty-eight percent of healthcare respondents said they faced compromise involving a mobile device last year, a significant increase from 2018 (25 percent).

What’s more, 36 percent of those that experienced a compromise said the effects were major. “There’s a lot at stake. Healthcare organizations hold highly sensitive data about their patients and employees, which can be a target for cybercriminals hoping to sell this information on the black market or conduct blackmail and extortion schemes,” researchers wrote. “And the impact of security breaches can be far-reaching.” Despite those risks, two-fifths of healthcare organizations admit to going around mobile security measures. And those organizations were nearly twice as likely to experience a compromise than those that did not sacrifice mobile security.

The report also showed that many healthcare organizations are failing to take basic precautions, with just 43 percent of respondents saying they changed all default or vendor-supplied password, or encrypted sensitive data across public networks, “two of the most fundamental security measures, along with regular security testing and restricting access to data on a need-to-know basis.” And only 12 percent had all four of these basic precautions in place. Another 65 percent don’t restrict the use of cloud apps without a proven security rating, while only 49 percent restrict the functionality of apps when accessed from unknown networks or locations. “Mobile and the cloud are becoming more intertwined. In fact, 85 percent of healthcare organizations said that within five years, mobile will be their primary means of accessing cloud-based services,” researchers wrote. “For most, the cloud is now the default choice for building and running apps.”

“Forty-four percent said that over half of their new business information is stored in the cloud. Most healthcare respondents massively underestimate the number of apps being used in their organization,” they continued. “Sixty-five percent said the number was under 100. Just 4 percent said that they use over 1,000. The average is actually much higher.” As a result, healthcare respondents are increasingly concerned about the risk of mobile device threats, with 73 percent of organizations rating the risk posed to their enterprise as moderate to significant. The top threats that healthcare organizations feel unprepared to handle range from cryptojacking, unapproved applications, rogue or insecure wi-fi hotspots, and malware.

Data loss, such as theft or exposure of medical records, was the largest concern among healthcare providers when it comes to security breach consequences at (62 percent), followed by reputation damage (50 percent) and regulatory penalties (32 percent). Fifty-one percent of organizations are afraid of exposing employee data, a prime target for hackers leveraging targeted phishing campaigns, such as tax scams. The question remains, what is driving the mobile security risk? According to the report, much of the insider threat is inadvertent. Seventy-five percent of organizations understand that employees are the greatest risk posed by devices. But just 52 percent said their employees were trained on IT security. Even worse, 65 percent of the healthcare leaders who responded to the survey said they personally used public wi-fi for work-related tasks, despite it being explicitly prohibited by the organization for 23 percent of the respondents.

“It’s true that employee actions, even if inadvertent, can expose healthcare providers to greater risk,” researchers wrote. “These range from installing unapproved apps to connecting to insecure public Wi-Fi hotspots.” “But with so many healthcare organizations knowingly sacrificing security, and with those responsible for setting mobile policies breaking the rules themselves, is it fair, or good risk management, to expect better from employees?” they added. The need to quickly access data makes it harder to implement effective security, according to 76 percent of respondents. The stat is supported by a referenced NetMotion report that showed 20 percent of mobile workers listed the IT security policy as their most frustrating issue at work, with “cumbersome authentication” as the fifth most frustrating issue.

The issue is reflected in the data: 64 percent sacrificed security for expediency and 46 percent named convenience. “This suggests that decision makers are concerned about the impact that security measures can have on productivity and efficiency,” researchers wrote. “These are valid concerns in a medical setting, where the ability to access data and make fast decisions can be critical. Poorly designed or implemented security policies can be bad for both employees and patients.” “Something as simple as a password policy could impede employees’ productivity, increase support costs (due to more resets) and potentially increase risk (by driving employees to circumvent the rules, especially in medical emergencies),” they added. “Security shouldn’t be a burden.”

Healthcare organizations should instead turn to secure mobile gateways, adaptive authentication and zero-trust services, which Verizon researchers explained can actually reduce the number of intrusive login prompts without putting systems and data at greater risk. Verizon also recommended IT leaders establish a formal AUP that specifies requirements for bring-your-own-device users, including the networks they’re allowed to use and the apps they’re allowed to install. Organizations need a “security-first focus,” and all employees need regular training to know how wnd when to report suspicious activities and behaviors.

Password policies should include strength, reuse and two-factor authentication requirements, while data access should be restricted to a need-to-know basis. Further, employees should be limited from installing apps from sources that are not vetted and those downloaded from the internet should be blocked. All patches will need to be promptly installed, while all default and vendor-supplied passwords should be changed. “Implement policies to lock down and isolate vulnerable, infected, and lost or stolen devices,” researchers wrote. “Use a mobile device management solution to simplify patch management and enforce your AUP, including authentication policies.”

“The consequences of a mobile-related security incident are often serious and far reaching. Of healthcare respondents that had suffered a compromise, almost half experienced downtime as a result of the attack, and 39 percent had to deal with the loss or exposure of data,” they added. “Remediation can be lengthy, difficult and expensive. Don’t wait until you discover a breach to rethink your mobile security.” Employees are consistently the largest vulnerability in healthcare. In May 2019, another Verizon report showed miscellaneous errors, privilege misuse, and web applications represented 81 percent of healthcare data breaches in 2018: with healthcare named as the only sector where the majority of breaches were tied to internal threats. In November, the University of Rochester Medical Center in New York will paid the Office for Civil Rights $3 million and agreed to a corrective action plan to repair flaws in its mobile device security program, including failing to encrypt its devices.