HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months

The Verizon Mobile Security Index 2019 report indicates 25% of healthcare organizations have experienced a security breach involving a mobile device in the past 12 months.

All businesses face similar risks from mobile devices, but healthcare organizations appear to be addressing risks better than most other industry sectors. Out of the eight industry sectors surveyed, healthcare experienced the second lowest number of mobile security incidents behind manufacturing/transportation.

Healthcare mobile security breaches have fallen considerably since 2017 when 35% of surveyed healthcare organizations said they had experienced a mobile security breach in the past 12 months.

While the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon suggests that may not necessarily be the case. Healthcare organizations may simply be struggling to identify security incidents involving mobile devices.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

85% of surveyed healthcare organizations were confident that their security defenses were effective and 83% said they believed they would be able to detect a security incident quickly. That confidence may be misplaced as a quarter of healthcare organizations have experienced a breach involving a mobile device and 80% of those entities learned about the breach from a third party.

Since mobile devices are often used to access or store ePHI, a security incident could easily result in a breach of ePHI. Two thirds (67%) of healthcare mobile security incidents were rated major breaches. 40% of those breaches had major lasting repercussions and, in 40% of cases, remediation was said to be difficult and expensive.

67% of mobile device security incidents saw other devices compromised, 60% of organizations said they experienced downtime as a result of the breach, and 60% said data was lost. 40% of healthcare organizations that experienced such a breach said multiple devices were compromised, downtime was experienced, and they lost data. 30% of breached entities said that cloud services had been compromised as a result of a mobile security breach.

The main security risks were seen to be how devices were used by employees. 53% of respondents said personal use of mobile devices posed a major security risk and 53% said user error was a major problem.

65% of healthcare organizations were less confident about their ability to protect mobile devices than other IT systems. Verizon notes that this could be explained, in part, by the lack of effective security measures in place. For instance, just 27% of healthcare organizations were using a private mobile network and only 22% had unified endpoint management (UEM) in place.

The survey also confirmed that users are taking major risks and are breaching company policies. Across all industries, 48% of respondents said they sacrificed security to get tasks completed compared to 32% last year. 81% said they use mobile devices to connect to public Wi-Fi even though in many cases doing so violates their company’s mobile device security policy.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.