In today’s world, almost every piece of technology comes equipped with the ability to access the internet. Phones, watches — even refrigerators — are built to connect. While the intent here is to make life a little easier, an unfortunate side effect is that these connections open up new pathways for cyber criminals.

For organizations that acquire a large amount of sensitive data — health care organizations, for example — these openings become potentially business crippling pathways through which hackers can steal information.

Today, we’re going to discuss what endpoints you need to be paying close attention to and how you can ensure your organization is protected against these threats.

The Threat

In their October newsletter, the Department of Health and Human Services’ Office for Civil Rights (OCR) warned about the dangers unprotected mobile devices can present to electronic protected health information (ePHI).

“As mobile devices are increasingly and consistently used by covered entities, business associates and their workforce members to store or access electronic protected health information, it is important that the security of mobile devices is reviewed regularly, and modified when necessary, to ensure ePHI remains protected,” they wrote.

When it comes to cybersecurity, we often only consider networks, desktop computers or work laptops. Mobile devices like phones and tablets, however, can pose just as much risk to an organization’s security as any traditional interface.

Let’s imagine that an employee at a health care entity sometimes uses their mobile phone to log into their organization’s private portal through which they can access patient information. Or, maybe a doctor uses an encrypted app on a tablet when meeting with patients. While information is easily accessed in this format, it also is more vulnerable. What if the employee loses their device with that web browser still open or valuable information downloaded? What if the doctor’s tablet is stolen? All of these scenarios can lead to private information falling into the wrong hands, which can cause potentially damaging outcomes like being required to pay regulation fees, patient lawsuits and any accessory costs related to suffering a breach.

Attack Avenues

Other than just outright stealing a device, however, what other tactics do cyber criminals use to access these devices? A few common methods include:

  • Ransomware installed on phones via corrupted websites or email links
  • Keyloggers — spyware which records all typed characters on a device, allowing hackers to steal your information
  • Unsecured mobile networks

This last point deserves the most attention. Most mobile devices come unsecure — that is they tend to automatically connect to whatever mobile network is within range — regardless of whether or not it is secure. Unsecured mobile networks found at places like coffee shops or airports may seem convenient and trustworthy, but can be easily spoofed and replicated by clever hackers. What appears to be an official hotel Wi-Fi may in fact be set up by an attacker who seeks to steal all the data a user sends through this fake network.

These attacks make up a considerable portion of breaches as well. OCR reported on November 1st that they had been made aware of 2,109 major breaches this year; attacks which have affected over 176.2 million people. Of this total, 673 breaches — 32 percent — were caused portable devices. That’s the private information of 21.2 million individuals affected because of a misplaced smartphone or a tablet connected to the wrong Wi-Fi.


To begin with, all devices with access to ePHI need to be encrypted. Whether your organization assigns devices to key members of staff or allows them to use their own, your IT department or provider needs to ensure that your device has the proper protections in place. Firm guidelines also need to be laid out among staff to minimize these devices being put in risky situations. This could include company devices only being used onsite or other previously cleared locations.

Risk assessment should also be conducted, along with a strenuous and thorough testing period that can familiarize your employees with popular social engineering tactics. BAI Security’s Red Team Assessment tests for multiple weak points within your organization, while our Social Engineering Evaluation makes sure your employees are properly equipped with the knowledge they need to repel popular hacking tactics.

Perhaps the best deterrent is to just be aware of the threats facing your organization today. Cybersecurity is an ever-evolving field with new attackers and weak points popping up daily. As you move forward, planning for your organization becomes key. Technologies need to be carefully scrutinized and their implications for your security taken into consideration before making any drastic changes. Making some tasks easier is nice, but not at the cost of lacking security.