Mobile device technology appears to be taking off. Lately, it seems there are more non-phone-call uses for mobile devices than there are lightbulb jokes. The healthcare industry is becoming particularly mobile device heavy. However, in terms of cybersecurity, mobile medical device technology is causing headaches for healthcare organizations.
The ability to collect a patient’s health vitals, view lab results and even engage in a consultation through a smartphone is appealing to both healthcare providers and patients. This type of mobile medical practice continues to grow as more products are being introduced all the time. Still, mobile devices, which are rapidly growing in numbers and uses in healthcare, are receptacles for confidential patient data and treatment regimens. They are also all connected to an organization’s network. Cybercriminals wanting to breach a company’s cybersecurity perimeter just need to compromise a single connected mobile device.
Device technology developers and cybercriminals have long been engaged in game of cybersecurity ping pong. Developers continue to create security measures based on the types of attacks they are aware of, while cybercriminals continue to develop new and more deceptive malware. The following are some of the new or enhanced threats to keep an eye on:
Malware is showing up in popular apps. Cybersecurity experts surmise that hackers have been able to embed malware in legitimate apps, repackage them and then republish them on Google Play. When users download the apps, the malware secretly gains root access to the device to do broad surveillance on the user and even gain access to the enterprise’s network the device is connected to. All of this is carried out without the user’s knowledge or consent.
A botnet is a collection of network-connected devices that are infected and controlled by a type of malware. The malware is hidden in apps that device owners download from different app stores. Once the malware has infected the device, the hacker can incorporate it into a global botnet and control the actions of the device. Having control of the device, the hacker can engage in all kinds of malicious activities such as sending text messages, opening web pages, deleting files and stealing data.
Click fraud is a way to piggyback botnet technology. Similar to a phishing email, a cybercriminal sends a text message with a link that downloads malware when clicked. When the device is connected to your network, the malware can set up a backdoor, which allows the hacker to easily access your infrastructure and other users. It could take several months for an organization to detect this type of intrusion.
Technology is woven into practically every aspect of our lives. The Internet of Things (IoT), which is the interconnectivity of devices and technologies that communicate through software, is largely responsible for our networked culture. The more things we have on the grid (smartphones, home automation systems, automobiles, medical devices, etc.), the more avenues we create for cyberattacks. Malware developers regularly make enhancements to malicious technology and the amount of damage it can cause. Also, underground sites that sell malware kits designed for infecting IoT devices are popping up everywhere, which means people don’t need to be technology savvy to engage in cyberattacks.
The cost and impact of a security breach is reason enough to invest effort and resources in cybersecurity. Taken a step further, regulated companies with inefficient security measures are at risk for noncompliance. The primary objectives required for achieving regulatory compliance with mobile medical device technology include:
Regulatory guidelines, such as those defined by the HIPAA security rule, don’t prescribe specific policies or technologies for mobile device security. However, compliance with the HIPAA security rule requires the implementation of reasonable and appropriate security measures in medical device technology to achieve these objectives.
Effective cybersecurity begins with having a security mindset. In a connected world, nobody flies under the radar. Human error remains the biggest culprit and weakest link in any security strategy. A bring your own device (BYOD) policy offers convenience, flexibility and more opportunities to be productive. However, it can also undermine any cybersecurity measures you have in place. Here are just a few ways employees can put your company’s security at risk:
Loss or theft – Despite being practically joined at the hip with our smartphones and other mobile devices, people still manage to walk off without them. A mobile device in the wrong hands can render the most advanced security technology system useless. With physical access to a device, it’s relatively easy for a seasoned attacker to circumvent its password lock and even access encrypted data.
Cross-pollinating personal and company devices – Security becomes weaker when users connect personal mobile devices to organization-issued devices, connect organization-issued mobile devices to an untrusted charging station or use a connected mobile device to provide access to another mobile device.
Using unapproved apps to store, sync and share data – users understandably like to choose the apps they download and use. However, this can present a huge security risk if the app is infected with malware or if security isn’t a priority for the app’s designers. A seemingly innocent recreational app can pave the way for a malicious botnet, which can work its way into your network.
Jailbreaking or rooting a mobile device – Mobile devices are commonly manufactured with default restrictions that limit the software that can be run on it. Jailbreaking (iPhones, iPod touches and iPads) and rooting (Android devices) are processes of bypassing these restrictions in order to install custom apps that otherwise couldn’t be used on the device.
The National Institute of Standards and Technology (NIST) addresses mobile device cybersecurity in its “Guidelines for Managing the Security of Mobile Devices in the Enterprise” document. According to the guidelines, organizations should assume that all mobile devices are untrusted unless the organization has properly secured them and monitors their security continuously while in use with enterprise applications or data.
The NIST guidelines recommend that organizations limit the type of mobile devices that may be used for enterprise access. One limitation is to restrict network access to only organization-owned devices. For companies that have a BYOD policy, access should be limited to only a few web-based resources, such as email. Such a policy might come under protest, but it does give the organization more control over the security risks.
The NIST guidelines also suggest that each organization make its own risk-based decisions regarding the level of enterprise access allowed from which types of mobile devices. Other recommendations include requiring security software on every company-issued and BYOD device that will connect to the network.
There is cybersecurity technology available that includes functionality for malware detection, data encryption, mobile device wiping, etc.
Company-mandated cybersecurity awareness and training needs to be part of every organization’s cybersecurity strategy. It’s important to keep all employees up to speed on cybersecurity. Also, most regulatory compliance standards require an enforceable mobile device management (MDM) policy.