Posted by David Harley on April 7, 2016.
I was asked for my response to Skycure’s mobile threat intelligence report, which claimed that ‘One in Five Doctors’ Mobile Device Might be at High Risk’. Not that I’ve seen the actual report, only a somewhat speculative press release, so my answers might be seriously off beam. At any rate, they weren’t used by the magazine, so here they are, for what they’re worth. 🙂
How much of a data-attack target is the medical industry?
That depends on the type of attack you have in mind. While sensitive medical data are a very attractive target, mobile devices are probably in some senses less accessible for targeted attacks. It depends on the extent to which (a) staff use mobile devices rather than static devices (or even laptops) (b) the extent to which they have access on such devices to the databases that hold such data (c) the type of device and the way in which it is (or isn’t) protected. If the mobile device is a more or less unrestricted portal to a healthcare network (or information is actually physically stored on the device, as Skycure suggests), then there is potential for a serious problem. (Which is why the security industry tends to advocate Choose Your Own Device rather than Bring Your Own Device so that there’s some degree of central security control and segmentation of data access.) It might be worth mentioning Dino Dai Zovi’s assertion at Black Hat Asia that the diversity of the Android ecosystem is actually a strength, since there isn’t one exploit to own them all, so to speak. I’m not totally convinced by that argument, but in terms of targeted attacks it does have some credibility.
What challenges does the medical industry face to keep the data of patients secure?
Well, in the UK healthcare (in the NHS at any rate) is fairly tightly regulated. Or was when I was working as an NHS security manager, but that was ten years ago. So there’s the usual forest of (sometimes contradictory) mandated policies, regulations and guidelines to negotiate, but only limited resources are available for security technology, training, and so on.
As regards the last comment, there was a lot more to say from a US vantage point (and even from a UK perspective), but I had the journalist’s deadline to consider. Maybe I’ll come back to the topic another time.
Submitted in: David Harley |