The Endpoint Ecosystem 2022 Study shows a staggering lack of cohesiveness between employers and employees when it comes to cybersecurity. Commissioned by Mobile Mentor, the study was conducted by the Center for Generational Kinetics in late 2021. Survey respondents were chosen across four regulated disciplines, with healthcare professionals making up 33% of Americans surveyed. The results show a huge disconnect between policies and employee actions. 87% of those surveyed use their personal smartphones for work in a typical week, while only 35% of healthcare-field respondents were enabled to access systems, data, and apps from personal devices. Even when security policies exist, workers often ignore them. 42% of those surveyed reported that they found ways to work around security policies, while 46% allowed family members to use work devices. As all of those surveyed work in fields where data privacy is paramount, these figures suggest that the cybersecurity policies implemented by major companies are in dire need of review.
In June 2020, researchers from MIT and the University of Melbourne published a survey of gray literature concerning hospital BYOD policies. The findings suggest that even in the pre-pandemic world, employee devices pose a risk to cybersecurity. According to one study included in the survey, 39% of devices used by doctors for day-to-day practice became vulnerable to network attacks within a month, often by being connected to an insecure network or public hotspot. Breaches and attacks weren’t just theoretical. A 2016 US study found that nearly 28 million mobile devices with medical apps installed also were infected with high-risk malware.
The 2016 US survey mentioned earlier found that 46% of doctors exchanged patient data via a picture message, 65% sent patient data via SMS, and 33% transmitted patient data over WhatsApp. 87% of staff members at an NHS hospital in the UK used similar apps when communicating about patient cases at work. Something as simple as two authorized doctors using picture messages to exchange patient data can cause a HIPAA nightmare. In hospital systems, patient data is encrypted, often with homomorphic data encryption techniques that allow computers to process the data without having to look at it to preserve both processing power and privacy. In a text or picture message, there’s no encryption whatsoever.
On top of that, any app that’s been given access to either doctors’ phone’s storage can access the patient data. WhatsApp purports to be encrypted, but it’s not much better. If anyone clicks the “report” button on WhatsApp, the full contents of the message chain are unencrypted and flagged for review by Facebook employees. This means if someone forgets to lock their phone before putting it in their pocket, you risk sending sensitive patient data directly to content review teams at Facebook without the patient’s consent.
Building Lasting Solutions
Both the Endpoint Ecosystem study and the 2020 gray literature survey highlighted how dangerous obtrusive security policies are for the longevity and effectiveness of institutional cybersecurity. Forcing users to change passwords too often leads them to use less secure passwords, share passwords with colleagues, or use unauthorized programs for work tasks instead of logging in. Staff members will absolutely switch to apps they’re more comfortable with using, like WhatsApp, Outlook, or Google Sheets, if the approved software provides a worse user experience.
Not only did 2022 survey respondents work around their company security policies to use “shadow IT,” but 57% of respondents also preferred Dropbox and Gmail to the solutions authorized by their workplace. The data seems to indicate that any policy that’s meant to stay effective needs to keep the employee experience in mind. Shadow IT is contagious, too. When your boss shares something with you via an unauthorized app, not only will you likely continue the conversation via that format, you’ll also receive a strong signal that it’s okay to ignore your cybersecurity policy.
Taking Things Seriously
Mobile Mentor’s 2022 study and the 2020 gray literature survey both suggest that medical cybersecurity policies can be vastly improved upon. Both papers show that medical employees are working against company cybersecurity policies and putting critical patient data in places where it could be exposed. Employees are using unauthorized personal devices to access sensitive data, allowing family members to use work devices, exposing devices to unsecured networks, and sending data via unauthorized, unencrypted apps.
Until we get everyone on board and work hard to make our practices easy and efficient for those with their boots on the ground, we’ll continue to see this massive disconnect between corporate cybersecurity policies and the actions taken by employees who have to use the system in their day-to-day work. That shouldn’t be an excuse. It’s time for the medical community to step up its efforts and institute a culture of educated, informed security practices that keep private data private without infringing on the ability of doctors, nurses, and administrators to do their jobs quickly and efficiently.