The use of mobile devices in hospitals to streamline workflows and improve patient care has become commonplace. For cyber-attackers, this widespread adoption makes them an attractive vector for accessing protected healthcare information (PHI) and other sensitive data.
In busy hospitals, healthcare providers (HCPs) view mobile devices positively. In a survey of 400 healthcare leaders by US security firm Imprivata, 67% cited better coordination and communication, 54% improved access to clinical applications, and 51% faster patient care as direct outcomes of mobile integration.
Go deeper with GlobalData
Discover B2B Marketing That Performs
Combine business intelligence and editorial excellence to reach engaged professionals across 36 leading media platforms.
However, whether under the aegis of enterprise-wide distributed mobile device fleets or permitted for work use under bring your own device (BYOD) security policies, smartphones increase the threat burden placed on hospitals.
And these concerns are pronounced, with research by Proofpoint finding that insecure mobile apps (eHealth) were a top cyber concern for 55% of respondents, followed by employee-owned mobile devices (i.e. BYOD) at 49%.
By adding extra entry points into a hospital’s backend systems that are less likely to have the same visibility or oversight as a hospital’s core security systems, mobile devices are viewed as ‘low hanging fruit’, and an easy target for bad actors to exploit.
Imprivata’s report also found that while 92% agreed that mobile devices were nowadays essential to patient care, only 44% said their organisation had a formal policy to manage device allocation and usage, while 55% lacked visibility into what applications were being accessed.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataThese discomforting figures come at a time when attacks on mobile devices in healthcare are worsening, with research by US security firm Zscaler revealing that mobile attacks in healthcare increased by almost 225% in 2025.
Mobile devices: a valuable target for cyber-attackers
Over time, the value of mobile devices as targets for cyber-attackers has grown more apparent.
“In healthcare, mobile devices and apps sit at the intersection of what we would consider sensitive PHI, clinical workflows, and weaker security controls,” says Bindu Sundaresan, director at US security service provider LevelBlue.
It is nowadays commonplace for HCPs to use apps to access patient records, approve medication, and communicate with other team members.
“But if you think about it, none of these apps are standalone,” Sundaresan continues. “They often represent a front-end gateway to core hospital systems in the backend.”
This reality, Sundaresan says, means that by compromising a mobile device, an attacker is often also gaining authenticated access to clinical platforms.
Factors driving mobile device attacks
In the view of Dr Sean Kelly, chief medical officer at Imprivata, a lack of comprehensive mobile device management strategies is to blame for the uptick in device attacks.
A hospital may roll devices out across their institution with streamlining workflows top of mind. While passwords and other security methods may be used, Kelly notes that it is unlikely there will be sufficient oversight to ensure these devices have the right security patches and app updates in place – a scenario that often results in broken workflows and the emergence of security holes that cyber-attackers exploit.
Meanwhile, a centralised mobile device security strategy means that factors including security governance, privacy and compliance management can be managed in a single stroke.
“The absence of such a security approach also makes it hard to get devices provisioned correctly, to ensure, for example, that their batteries are healthy and that they are ready to use when HCPs need them,” Kelly adds.
The ideal security policy: strict but easy to use
In Imprivata’s survey, 87% reported access issues due to their enterprise’s approach to mobile device security, with 86% citing usability concerns such as devices being unavailable, uncharged, or lacking the right applications.
Kelly highlights that when device security is ineffectively managed at the enterprise level, such that allocated mobile devices are uncharged, or frustrating to use due to lengthy passwords or multi-factor authentication (MFA), there’s always an awareness that personal devices are “coming into all of our hospitals in our pockets”.
Kelly says: “For any security plan to function effectively, it has to be strict but also easy to use.”
To avoid the hazards and security gaps a non-centralised approach to device security can bring, Kelly explains how by using an enterprise-level, centralised approach to device security and management, Imprivata can ensure that devices are properly patched and provisioned.
“When the user comes up and taps in with their badge, the device with the healthiest battery and most up-to-date security patches is allocated to them and is completely de-provisioned from the prior user,” Kelly says.
“What we then do is force a pin on a device that’s managed by a hospital system, and this avoids a common security risk that relates to the same pin codes being shared across all enterprise devices. The HCP now uses that same pin for their whole shift; or they can enrol face ID to get into and out of the phone or its apps, either by auto launching them and seeing the password auto fill, which is our technology, or by using the face.”
Kelly claims that this approach renders a device more secure and convenient towards workflows.
BYOD: the biggest threat to hospitals?
Whether a hospital lacks an enterprise-level policy or relies on weak BYOD security policy with minimal oversight, the risk significantly increases when HCPs use their personal devices for work functions.
At its best, BYOD is supposed to use strict, HIPAA-compliant hospital app access methodologies, and desegregate personal and private data.
However, research suggests that in many hospitals, BYOD policies are often underdeveloped, with a lack of control or visibility for management to maintain security requirements, and a lack of staff awareness – all factors that can make devices more vulnerable.
Sundaresan highlights that personal devices sit outside the security parameters of a hospital, likely use default credentials, and are unlikely to have been patched sufficiently.
“From an attacker’s perspective, BYOD creates a large pool of devices with inconsistent security posture that make them easier to exploit.”
Whether cyber-attackers fool a user into downloading an app filled with malware or penetrate a device via traditional methods such as phishing by getting a user to open an illegitimate email link, once inside, the bad actor goes for the healthcare network.
Sandaresan continues: “And many healthcare apps will actually expect you to give broad permissions, making it hard for organisations that have not invested in mobile security to actually keep an eye on these devices that are effectively an entry point into the entire healthcare network.”
The ideological step change needed in healthcare
With competing investment priorities for healthcare institutions, Sundaresan highlights that technological innovation such as ambient recording software is always going to be more alluring than a case being made for a new security provision.
She says: “But we need to think about it this way: technology and cybersecurity are both tied to innovation, which is tied to patient care and outcomes.”
Sundaresan shares that when she raises the point about healthcare data being stolen or a false healthcare identity being created, people say “I am not a celebrity. Why do I care about this?”
Kelly points out: “PHI is virtually priceless. Once it’s out, there’s no making a patient whole again. It’s not like a bank where you can just pay someone back the money that was lost; if it gets out that an individual has cancer, for example, that secret is unrecoverable.”
But cyberattacks can go beyond data theft. A cyber breach could also mean that a hospital’s imaging provision has been disrupted, meaning that patients could be wrongly diagnosed or incorrectly treated.
“Now it becomes life or death,” Sundaresan continues. “Yet I feel like every time we talk about cybersecurity, there’s this tendency to take it back to the dollars and the amount of data that’s lost.
Sundaresan emphasises that hospitals need to perceive security as something intrinsically linked to patient care, rather than solely being a technology-funded initiative.
“This is about recognising that since innovation is about providing better care to patients, then part of that patient care is safety, and part of safety is cyber.”
According to Sundaresan, security is often considered with a short term view: hospitals don’t want their data to be breached, to have their name in the paper, their reputation damaged.
She concludes: “But none of that is truly relevant; security directly impacts patient care, and that’s what matters most of all.”
