Sensitive Medical Mobile Software is Not Immune to High-Risk Malware

high-risk malware

We are all well aware of the insidious danger posed by cyber threats that are launched from the dark corners of the globe – but did you know that these dangers do not exclude medical applications? More than 28 million devices with medical apps might be infected with high-risk malware. The Petya and Wannacry ransomware attacks were especially frightening as they succeeded in shutting down banks and government systems in the Ukraine. When they were done there they crossed the Atlantic to infect hospitals and large pharmaceutical companies including Merck here in the US.

Did you know that the cell phone you carry around is just as susceptible to attacks? If you are a physician using your cell phone to send patient data, you need to know how to secure it and the patient information on it.

A recent article published in Samsung’s online Insights blog says that 80% of doctors use cell phones in their daily work. That may be great for streamlining tasks and improving communication, but it leaves a door wide open for hackers and data thieves. Patient information is very valuable on the black market these days and phones are a treasure trove of data. Here’s why.

Insights reports that a survey by Skycure2 found the following:

  • 14% of mobile devices that contain patient information aren’t protected by a password, even though doctors access this sensitive data on a daily basis.
  • 65% of doctors use SMS to send patient information.
  • 46% of doctors use photo messaging.
  • 33% of doctors use the messenger service WhatsApp.

Unless these mobile devices are secured, they are vulnerable to cyber attack. It was found that an enormous amount of patient data may be stored on devices that are “running outdated operating systems with severe vulnerabilities”.

Just as hospitals need to stay on top of IT security to protect patient data, as a physician you need to be vigilant about the security of your mobile phone. You need to be acutely aware that when sensitive patient data is sent across open cell phone networks it is highly vulnerable to theft. When you access patient records via cell phone in publicly accessible Wi-Fi areas (but don’t), you may be handing patient information to hackers in a gift box tied with a bow. Anyone on an open Wi-Fi network can potentially see the patient information and that equals one huge HIPAA violation.

How do you secure your phone?

high-risk malware

We were surprised on just how difficult it is to find this information. That may be one reason why so many phones aren’t secured. (Who has time to conduct multiple searches for what should be easily available information?) If you search for how to develop a HIPAA compliant app there is lots of information. But if want to find out how to secure your phone you’re going to have to dig pretty deep. We didn’t give up and here is what we found.

Text messages should be encrypted. Look for approved medical apps that can do this for you. Information Week3 suggests that you look for a medical app with the following options:

  • A system to audit the data and ensure that it hasn’t been accessed or modified in any unauthorized way.
  • A mobile wipe option that allows personal health information (PHI) to be wiped if the device is lost.
  • Data backup in case of a device loss, failure, or other disasters.

As you use your phone, always, without fail, practice the following:

  • Use the password protected screen lock feature.
  • Make sure your phone runs regular safety updates.
  • Set up secure messaging and secure email on your phone.
  • Set-up recovery plans; What will you do if the phone is lost?
  • What happens to the data on your old phone when you get a new one?

As a doctor, you want to use every device at your disposal to streamline work and improve patient care. Increasingly, patients want to communicate with their physicians via mobile phone, text, and email. However, the onus isn’t on them to abide by HIPAA, it’s on you. Conduct your due diligence and make sure that increased communication isn’t causing you to inadvertently walk across the line to very expensive HIPAA violation fines.