As more hospitals deploy mobile devices for clinical communications, staff and IT leaders worry that cybercriminals will hack them and steal medical records.
Despite new secure device investments, 82% of hospitals expressed concern about their ability to protect mobile devices, patient data, and infrastructure from cyberattacks such as malware, blastware, and ransomware, according to a Spyglass Consulting Group survey released Monday.
The survey of more than 100 IT and healthcare professionals working in hospitals found that more hospitals are moving to mobile: 38% of hospitals had invested in a mobile communications platform for doctors, nurses, and other staff to discuss clinical matters on. The average size of deployments was 624 devices.
Often, the devices are integrated with existing hospital tech like patient monitors and electronic medical records. These phones usually have secure messaging systems and stringent policies and procedures for use, said Gregg Malkary, founder and managing director of Spyglass Consulting Group, a market intelligence firm and consultancy focused on mobile computing and wireless technologies in the healthcare industry.
"Even with that investment, hospitals are still paranoid," Malkary said. "Hackers are getting more clever, and the amount of dollars hackers can get for each medical record is only increasing in price."
SEE: IT Security for the Mobile Workforce download (Tech Pro Research)
Further complicating security matters is the fact that many staff members still use personally-owned devices to communicate about patient and work matters, Malkary said. Hospitals surveyed reported concerns about these mobile devices, since many have inadequate password protection and security software, and rely on unsecured SMS messaging for communicating about patients. Personal phones often use public Wi-Fi and cellular networks that could potentially make them susceptible to attacks, the report found.
Under HIPAA privacy laws, hospitals must diligently protect patient health data, such as patient names, birth dates, social security numbers, diagnoses, tests, and insurance information. Hospitals found guilty of data breaches can be fined upwards of $1.5 million per incident, Malkary said. As noted by the report, if the breach involves more than 500 patient records, the hospital must notify the local media.
"If hospital IT doesn't provide staff with a strong communication system, they are taking matters into their own hands, and creating the problem," Malkary said.
Hospitals and other healthcare organizations are often singled out by cybercriminals due to antiquated computer security systems and the amount of sensitive data on file.
"Hospitals are an easy target, and hackers can make a lot of money from them," Malkary said. "Healthcare is always laggard in adopting technology, which creates an imperative—you can't be willy-nilly deploying complex solutions. You need to be precise."
In 2015, there were more than 230 healthcare breaches that each impacted the records of 500-plus individuals, according to data from the US Department of Health and Human Services Office for Civil Rights.
A February ransomware attack launched against Hollywood Presbyterian Medical Center in southern California locked access to certain computer systems and left staff unable to communicate electronically for 10 days. The hospital paid a $17,000 ransom in Bitcoin to the cybercriminals, said CEO Alan Stefanek.
About 25% of hospital data breaches originate from mobile devices, the Spyglass report found.
Malkary recommended that hospitals have an overall mobile security strategy, with policies and procedures that ensure staff compliance. Hospital IT staff should discourage using personal devices or other workarounds that could endanger patient information, he added. Staff can also work with vendor partners to minimize risk and proactively deploy tech solutions that secure endpoints, Malkary said.
"We're seeing hospitals make investments and leverage mobile technology to improve the productivity and efficiency of care providers," Malkary said. "But it has to balance out against the risk."
The 3 big takeaways for TechRepublic readers
- About 38% of hospitals have invested in a smartphone-based communications platform for staff communication, but 82% of hospital IT staff and healthcare professionals are concerned about their ability to protect against cyberattacks.
- Hospitals are often targeted by cybercriminals due to out-of-date computer and security systems, and due to the wealth of information and medical records they have stored.
- Experts recommend hospitals create a mobile security strategy and staff training regimen to encourage compliance, as well as installing endpoint security systems to protect against cyberattacks.
- Why data-driven analysis must inform healthcare IT security decisions (TechRepublic)
- 'Massive' Locky ransomware campaign targets hospitals (ZDNet)
- Ransomware-as-a-service is exploding: Be ready to pay (TechRepublic)
- New exploits target hospital devices, places patients at risk (ZDNet)
- Cybersecurity spotlight: The ransomware battle (Tech Pro Research)