mobile Devices in Healthcare: A Growing Cyber Threat to Patient Safety
Table of Contents
The increasing reliance on mobile devices within hospitals, while streamlining workflows and improving patient care, has concurrently created a meaningful and expanding attack surface for cybercriminals, putting sensitive patient data and even lives at risk.
The integration of mobile technology in healthcare has become commonplace, wiht a recent survey by Imprivata revealing that 67% of healthcare leaders report better coordination and communication, 54% see improved access to clinical applications, and 51% experience faster patient care as direct results. Though,this widespread adoption presents a critical vulnerability.
Whether hospitals employ enterprise-wide mobile device fleets or permit “bring your own device” (BYOD) policies, smartphones inherently increase the threat burden. Research from Proofpoint indicates that insecure mobile apps (eHealth) are a top cyber concern for 55% of respondents, closely followed by employee-owned mobile devices at 49%. These devices are often viewed as “low hanging fruit” by malicious actors due to limited oversight compared to core hospital security systems.
A recent report by Imprivata found a concerning disconnect between recognizing the necessity of mobile devices and adequately securing them: while 92% of respondents agreed mobile devices are essential to patient care, only 44% reported having a formal policy for device allocation and usage, and 55% lacked visibility into the applications being accessed. This lack of control is particularly alarming given the projected increase in mobile attacks. Security firm Zscaler reported a nearly 225% surge in mobile attacks targeting the healthcare sector in 2025.
the Intersection of Vulnerability: PHI, Workflows, and Weak Security
The value of mobile devices as targets has become increasingly apparent over time.”In healthcare, mobile devices and apps sit at the intersection of what we would consider sensitive PHI, clinical workflows, and weaker security controls,” explains Bindu Sundaresan, director at LevelBlue, a US-based security service provider.
Healthcare professionals routinely use apps to access patient records, communicate with colleagues, and manage medications. This constant access to Protected Health Information (PHI) makes mobile devices prime targets for attackers. Furthermore, many healthcare organizations struggle to implement robust mobile security measures, leaving devices vulnerable to malware, phishing attacks, and data breaches.
Kelly, a cybersecurity consultant specializing in healthcare, emphasizes the importance of strong authentication. “Healthcare organizations need to move beyond simple passwords and implement multi-factor authentication (MFA) on all mobile devices accessing PHI,” she advises. “This includes enforcing PIN codes or biometric authentication to prevent shared credentials.”
BYOD: The Biggest Risk?
Regardless of whether a hospital lacks an enterprise-level policy or relies on a weak BYOD security framework,the risk significantly increases when healthcare providers use personal devices for work-related tasks. While BYOD,at its best,should utilize strict,HIPAA-compliant app access methodologies and segregate personal and private data,research suggests that many hospitals have underdeveloped policies with insufficient control,visibility,and staff awareness.
Sundaresan points out that personal devices operate outside the hospital’s security perimeter, often with default credentials and outdated software.”From an attacker’s perspective, BYOD creates a large pool of devices with inconsistent security posture that make them easier to exploit.” Attackers can exploit vulnerabilities through malware-laden apps or traditional phishing techniques, gaining access to the entire healthcare network once inside a device. Many healthcare apps also request broad permissions, further complicating security efforts for organizations lacking robust mobile security investments.
A paradigm Shift in healthcare cybersecurity
Healthcare institutions often prioritize technological innovation, such as ambient recording software, over security investments. However,Sundaresan argues that technology and cybersecurity are inextricably linked to innovation and,ultimately,patient care and outcomes.
She notes that the discussion frequently enough shifts to financial losses and data breaches when raising concerns about healthcare data security, overlooking the profound impact on individuals. kelly echoes this sentiment, stating, “PHI is virtually priceless. Once it’s out, there’s no making a patient whole again.”
The consequences of a cyberattack extend beyond data theft.A breach could disrupt critical hospital systems,leading to misdiagnoses or incorrect treatments. “Now it becomes life or death,” Sundaresan emphasizes. She believes that cybersecurity should be viewed as an integral component of patient care, not merely a technology-funded initiative.
Security is often approached with a short-term perspective, focused on preventing immediate breaches and reputational damage. However, Sundaresan concludes, “But none of that is truly relevant; security directly impacts patient care, and that’s what matters most of all.”
