Healthcare Workers Risk Data Exposure from Smartphone Gambling Apps

Healthcare providers and other HIPAA-covered entities operating Bring Your Own Device (BYOD) schemes will be aware that the use of mobile devices carries risks; however a recent study has highlighted just how risky unauthorized apps can be, with employees’ use of Smartphone gambling apps deemed to be especially risky.

If healthcare workers are allowed to use their own personal devices for work purposes, policies must be put in place covering the permitted use of apps on the device. Apps must be assessed, and employees informed of the applications which can be used securely on the devices.

While an app may never be used for work purposes, if it is installed on a device, security vulnerabilities in that app could potentially be exploited by hackers. An app could therefore be used to gain access to the data stored on the device, or the computer network that the device connects to.

New Study Highlights Data Security Risk from Gambling Apps


A recent study conducted by the security company Veracode, suggests that the average sized company has at least one gambling app being used by employees, and in some cases, up to 35 different apps.

For the study, Veracode analyzed data from hundreds of thousands of mobile phone apps to test for security vulnerabilities. Gambling apps were found to be particularly risky, with many of the popular gambling apps containing critical security vulnerabilities that could potentially be exploited by hackers.

The security vulnerabilities discovered could potentially allow hackers to gain access to the contacts stored on the phone, but also location data, call history, emails, and in some cases, the app would allow a hacker to record phone conversations.

Veracode cited a number of apps that contained critical vulnerabilities, including a casino app that stored identity information and contained code to check to see if the device had been jailbroken. This facility gave the app access to everything stored on the phone, as well including the functionality to record audio and video. Veracode said the app could be exploited by hackers who would be able to alter communications sent via the device.

Other apps lacked data encryption and sent user data across insecure networks. That data could potentially be intercepted, revealing demographic data about the user. For healthcare workers, that information could subsequently be used as part of a spear phishing campaign against that individual.

Veracode tested some of the most common gambling apps, and while no information was provided in the report on the riskiest apps, the company did say it had tested Big Fish Casino, Gold Fish Casino Slots, Zynga Poker, Wonderful Wizard of Oz, Slot Machines House of Fun, GSN Casino and many others.

In order to reduce the risk of data exposure, healthcare providers operating a BYOD scheme must put policies in place to prevent the downloading of risky apps to portable devices used to store or access healthcare data. However, unless risky apps are blacklisted so that they cannot be downloaded onto devices, it will only be a matter of time before an app is downloaded by an employee and patient PHI is placed at risk of exposure.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.