Doctors & health care organizations need to focus on phone security, the government warns.

You’re having a private conversation between you and your doctor by e-mail.

But the smartphone your doctor may be using to respond could put you in jeopardy—not just your privacy, but all of your personal and health information, and even your ability to get speedy help in time of emergency.

Doctors and health care organizations need to pay close attention to smartphone security, the federal government is warning, as the threat of mobile phone attacks continues to grow.

“Mobile devices are increasingly used by health care professionals, and are one of the top vulnerabilities for ensuring patient information security and secure health care institution operation,” said David Jevans with cybersecurity company Proofpoint.

Research shows 65% of doctors share patient data by text message,  according to Skycure’s Mobile Threat Intelligence report released this month, and 70% of doctors used smartphones to manage patient data in 2015, up from 8% in 2013. 

But the devices that offer speed and convenience have a downside, especially in an industry dealing with your very sensitive information—a malicious hacker could turn the phone into a tool to mine health information and/or take over the entire computer system.

“Mobile devices—whether it’s a mobile phone, tablet, or medical device—increase the attack surface for hackers or other malicious actors looking to steal data, disrupt operations, or do other nefarious things,” said Stephen McCarney with Arxan Technologies. “The use of mobile devices increases risk exposure to sensitive, high-value health data.”

Lack of basic security

Your doctor may urge you to follow the basics for good health—eat right, get sleep and exercise. But is he or she following basic security steps for your health information?

About one in seven people in the health care industry may not be using a password to protect their phone, even if that phone has access to sensitive information, the Skycure research said.

That’s a big risk, cybersecurity experts say.

“Phones are regularly lost, stolen and upgraded,” said Slade Griffin with Contextual Security. “Losing a phone that didn’t have a password is the equivalent of losing a corporate laptop that isn’t encrypted.”

And the numbers show data breaches related to mobile phones may be growing. Nine percent of the health care breaches in 2015 were related to mobile devices that were not laptops, according to Skycure.

For businesses in general, two-thirds of the companies surveyed said they have already had a mobile data breach, according to a 2016 Ponemon Institute report sponsored by Lookout.

Passwords are not enough

Even if your doctor’s phone has a password, that is not enough to keep your data—and the entire clinic or hospital network—safe, cybersecurity experts say.

Just checking his or her e-mail on the phone could lead to an attack.

“Phishing scams can lead to medical professionals opening up attachments or clicking on links that execute malware,” McCarney told Archer News. “The malware could then exploit applications on the mobile device and siphon sensitive data.”

“In some cases, malware could also work its way into the network and be used for ransomware attacks and other types of malicious activities,” he added.

Ransomware

Hospital after hospital has fallen victim to ransomware in 2016, with some paying thousands of dollars to get their systems back.

“These infections affect patient records, operational systems, and could also infect the servers that patient monitoring systems connect to,” said Jevans.

He pointed to data from the FBI showing that ransomware criminals having been reaping in more than $2 million per day since the beginning of the year by attacking companies in the U.S.

“Health care companies have been impacted the most,” he said.

Ransomware and other cyber attacks can cause delays in patient care, the U.S. Department of Health and Human Services Office for Civil Rights said in an alert, according to HealthcareInfoSecurity, like a slowdown in accessing patient records, getting patients their medications and meals, and printing patient labels and discharge papers.

“They can also affect life-saving medical devices,” the alert said.

The Hollywood Presbyterian Medical Center in Los Angeles reportedly had to divert trauma patients to other hospital emergency rooms during its ransomware attack in February. The hospital ultimately paid $17,000 in ransom to get its computer systems back. 

Harmful apps

More and more doctors and other medical professionals are using health apps to share info with patients, said McCarney.

“These mobile health apps often could be downloaded from app stores or other trusted sources,” he said. “But how does a doctor or medical professional know if the health app they are using and recommending is not a rogue app that is infected with malware?”

The federal government urges health care professionals to research apps before downloading.

“A mobile app might compromise the data on your device,” HealthIT.gov advises online. “For example, a mobile app could copy your address book or other private data without your knowledge to an external entity or source.”

HealthIT.gov recommends that you verify that an app only performs functions you approve of.

“Use known websites or other trusted sources that you know will provide reputable reviews of the app,” it said. “Understand the risks you are introducing to your mobile device.”

The Government Accountability Office warned about apps masquerading as something else, tricking health care professionals into installing malware on their phones.

“Unsuspecting users download malicious applications (apps) made to look like games, device patches, or utilities,” the GAO said in a report in 2012. “Once the software is downloaded on a mobile device, unauthorized persons can access health information or system resources.”

Health care apps

Some app developers for the health care industry may be well-intentioned, but still leave security holes in their apps.

Griffin said he has tested some health care apps to see if they are secure.

“Health care customers lag behind in security in general,” he said.

One issue he found—developers using pre-made app structures that have vulnerabilities.

“The biggest issue is using things like third-party modules which have the ability to enable social media in them,” Griffin said.

In other words, the app could send out data through Twitter or other social media platforms, a potential security risk.

But, he said, some app developers are taking security steps like removing the social media connection and making sure personal health information is not stored on the phone itself.

Still, he advises caution.

“As with any new technologies, I would encourage thorough testing and a graduated adoption and implementation. Particularly with mobile devices, since the technology is always in flux and evolving,” Griffin said. “Adoption and implementation should be carefully measured and monitored.”

The cure?

One step toward phone security for doctors—look at your phone as a laptop, and plan for data protection if the device is lost, stolen or compromised, said Griffin.

“Knowing that they have access to both personal and sensitive corporate/patient data, they must be treated like any other computing device,” he said.

Keep your phone and apps updated, keep as little sensitive information as possible on the phone itself, use multi-factor authentication, don’t jailbreak or root your device, and consider using antivirus for phones, said McCarney.

He recommended using apps that have extra security protection.

The following steps will also add to your phone security health, said Jevans.

—Do not download unnecessary apps to your phone.

—Try to keep the device that you use for patient information separate from the device you use for personal use.  

—Do not allow your children to use your mobile device if you are going to use that device to access patient information or enter passwords for systems at your health care organization.  

—Always use a VPN to connect to receive e-mail or use enterprise apps when on unfamiliar or insecure Wi-Fi networks.   

—If your organization offers a mobile device management and mobile app defense service, use it. Many apps are discovered as being malicious months after being available on app stores. You need to know this as soon as possible and delete them. Anyone can use these security moves to protect their phones. But for doctors, a phone breach can have serious complications that put patients and the entire system at risk.