HEALTHCARE AND MOBILE DEVICES: WHEN CYBERCRIMINALS MAKE A HOUSE CALL

Despite the daily onslaught of cyberattacks against personal and work computers, mobile phones have been relatively safe from criminals until now. Unfortunately, it appears as though the days of these devices being immune from the schemes of hackers are quickly coming to an end. This is especially true in the healthcare industry, where apps transmitting or storing protected health information (PHI) are some of the most desirable targets for cybercriminals.

In early 2022, cybersecurity researchers at Proofpoint detected a 500% increase in attempted malware attacks on mobile devices. These assaults are typically delivered via malicious applications and text messages, created to pilfer login credentials and financial information. However, those examples are just the tip of the iceberg; as these types of attacks become more sophisticated, even more sensitive data is at risk than ever before. Phones and apps store or transmit a variety of valuable data such as coordinates, personal pictures, text messages, and phone calls. If a device is compromised, the stolen data can be used for a variety of nefarious purposes, including identity theft and extortion with consequences ranging from embarrassment to catastrophe.

As such, users must exercise an additional level of caution for healthcare applications for mobile devices. One of the most dangerous subsets of healthcare apps are those related to COVID-19. At the onset of the pandemic, apps were rapidly developed for many purposes such as contact tracing, coordinating venue check-ins, and providing pandemic dashboards. Due to the immense need for these apps, rapid development speed was often prioritized over security precautions, allowing hackers to find weaknesses to leverage for their insidious needs. Research by the data and application security company Intertrust showed that almost 90% of COVID-19 tracing apps had vulnerabilities ”” an extremely concerning statistic when protected health information is at play. Healthcare and medical apps in general are very susceptible to cyberattacks, as almost 75% contain at least one significant vulnerability and more than 90% of apps did not pass a cryptographic test. These vulnerabilities further increase the possibility of a potential protected healthcare information breach.

Aside from app vulnerabilities, app stores can also lead to potential cyber risk. Users looking to install apps onto their devices for healthcare purposes should pay closer attention to where the app is coming from. Due to the secure nature of Apple”™s app store, Apple devices are usually safe when it comes to malware-infected applications. Android users, however, must remain vigilant whenever they are downloading apps, as their app store contains a multitude of apps that are outside of the mainstream or apps that are disguised to look like a legitimate app. At a glance, there could be several apps using a common healthcare provider”™s name on the app store. Individuals looking to install a healthcare app should look closely at the publisher and the reviews before pressing the download button.

In addition to apps and related vulnerabilities, all mobile devices regardless of operating system are susceptible to social engineering text messages sent from criminals. These text message attacks are called smishing because they use SMS (short message service) to phish (i.e., trick) their targets. These texts typically ask the user to reply with sensitive information, download an infected app, or click on a hyperlink that redirects to a website that is a facsimile of a legitimate site, such as a bank or healthcare login portal. The criminal”™s goal is to trick the user into entering their credentials into the fake website, which they then harvest to log in and access sensitive information. Similar to spear phishing attacks delivered by email, users need to be aware of taking any action requested in a text unless if the message was expected from a trusted source, such as an anticipated 2FA verification code request. Even replying without sensitive information can indicate to a hacker that the user is an active, live target, which increases the chances of being the recipient of future attacks.

One tactic that can be used to fight back against smishing attacks is to forward the messages to the number 7726, or SPAM on a phone”™s keypad. An automated message will then be provided by the user”™s wireless carrier with a request to enter the phone number from which the spam text originated from. After submitting the phone number to the wireless carrier to mark as spam, the user can then delete the original spam text to avoid future interaction with that number. To keep your mobile device cybersecurity healthy and safe from attack, consider setting up a meeting to discuss how Citrin Cooperman can help. 

ABOUT THE AUTHOR

Kevin Ricci is a partner with more than 25 years of experience in the information technology field. As part of the firm”™s Technology, Risk Advisory, and Cybersecurity (TRAC) practice, Kevin offers clients specialized technology expertise and cybersecurity solutions, including consulting, IT auditing, Sarbanes-Oxley IT support, security training, project management, database development, data analysis, and compliance services including PCI DSS and HIPAA. Kevin Ricci can be reached at kricci@citrincooperman.com. 

Citrin Cooperman is one of the nation”™s largest professional services firms. Citrin Cooperman & Company, LLP, a licensed independent CPA firm that provides attest services and Citrin Cooperman Advisors LLC, which provides business advisory and non-attest services, operate as an alternative practice structure in accordance with the AICPA”™s Code of Professional Conduct and applicable law, regulations, and professional standards.