The 2019 edition of the Verizon Mobile Security Index has been released, showing the significant risk that mobile device breaches pose to the healthcare industry.
The report surveyed eight industry sectors to assess the data security risk of breaches involving mobile devices. The healthcare industry experienced the second lowest number of data breaches related to mobile devices, after the manufacturing/transport industry. Despite the healthcare industry ostensibly being less at risk than six other sectors, the dangers of these data breaches should not be underestimated.
Mobile device security appears to have improved in recent years. In 2017, the Verizon Mobile Security Index indicated that 35% of healthcare organisations said they had experienced a mobile security breach in the past 12 months. This figure is ten percentage points higher than the 2019 figure (25%).
The Verizon report states that while this figure is falling, it may not directly translate to better data security. Several factors could have caused the fall. For example, healthcare organisations may be failing to identify data security incidents involving mobile devices, and therefore this information is underreported.
The report also surveyed healthcare organisations to determine how prepared they felt for potential cyber attacks. The majority (85%) of healthcare organisations were ’confident’ that their security protocols were effective. Again, the majority (83%) said they believed they would be able to detect a security incident quickly.
Despite the confidence in their defences, nearly a quarter of healthcare organisations have experienced a breach involving a mobile device. Of these organisations, 80% of those entities learned about the breach from a third party and did not detect it themselves.
Mobile devices have become ubiquitous in the healthcare industry as a way to store or transmit healthcare data. If misused, they pose a significant threat to the integrity of ePHI. The figures in the report reflect this fact; two thirds (67%) of healthcare mobile security incidents were rated significant breaches. The organisations reported that 40% of those breaches had significant lasting repercussions and, in 40% of cases, remediation was said to be difficult and expensive.
The report revealed that employees were the primary cause of mobile device data breaches. Over half of respondents said personal use of mobile devices posed a significant security risk and 53% said user error was a significant problem.
Nearly two-thirds of healthcare organisations rated themselves “less confident” regarding their ability to protect mobile devices than other IT systems. Verizon notes that this could be explained, in part, by the lack of adequate security measures in place. For instance, just 27% of healthcare organisations were using a private mobile network, and only 22% had unified endpoint management (UEM) in place.
The survey also confirmed that users are taking major risks and are breaching company policies. Across all industries, 48% of respondents said they sacrificed security to get tasks completed compared to 32% last year. Four-fifths said they use mobile devices to connect to public Wi-Fi even though in many cases doing so violates their company’s mobile device security policy.
The report highlights the need for organisations to place more robust security protocols on mobile devices.