Phishing is a well-known issue across all sectors, but how does it operate within healthcare and how can leaders prevent the consequences of mobile phishing from impacting their organisations? Kern Smith, VP of Global Solutions at Zimperium, tells us more.
There are few, if any, sectors that have not profited from the mobile revolution. Healthcare is chief among them. Mobile devices are unlocking new paths in health administration and healthcare, and which are now improving patient care and enabling greater efficiencies within the sector.
Agility and access are cardinal values in healthcare: The ability to share data freely and quickly can make real differences in the quality of patient care. As a result, mobile devices have undergirded a serious expansion of capabilities in the sector: Consultations now happen remotely, health data can be shared instantaneously and easily, and access to care has expanded far and wide, all enabled by the presence of the mobile device.
The innovation in this area cannot be understated. Quite simply: Patients are better off for it and this new mobile infrastructure is allowing the healthcare industry to forge ahead with new innovations in the mHealth space, offering ways to monitor health data remotely through mobile and IoT devices and extending patient care to new heights.
Mobile rewards come with mobile risks
However, as with all organisations and sectors that get their hands on new transformative technology, they often don’t anticipate the risks that come with them. Healthcare is a prized target for cybercriminals: Stolen data or unauthorised access to these kinds of organisations fetch high prices on the black market. Furthermore, the healthcare sector has often not been particularly cyber-resilient. Their IT focus generally emphasises access and agility, an oversight which has resulted in many catastrophic security incidents in the past. Mobile devices provide agility and access but simultaneously are a particularly underestimated risk across all industries, despite being one of the most common business endpoints in the modern world.
Phishing Healthcare
Taken together, these factors add up to an attractive, potentially lucrative target for attackers. Currently, the sector is facing a particular problem when it comes to mobile phishing. Zimperium’s most recent Global Mobile Threat Report (GMTR) found phishing made up 39% of the mobile threats arrayed against the sector. This is by far the most at-risk sector that is from mobile phishing. For comparison, the next most at-risk sector was higher education, for whom phishing makes up only 4.2% of the mobile threat.
We can find similar findings elsewhere too. In 2021, the Healthcare Information and Management Systems Society (HIMSS) found that phishing was the most common attack facing healthcare organisations, accounting for around half of all attacks against the sector.
As the healthcare sector increasingly relies on mobile devices, that disproportionate share of phishing attacks will come through the mobile devices through which doctors, administrators and other healthcare professionals directly receive data and communications. These will expand from exploiting mobile inboxes to also leverage the unique functionality of the mobile device – such as SMS, instant messaging and QR codes – as well as the blind spots in how users interact with them.
The mobile user is particularly sensitive to phishing threats. Phishing has long been one of the top vectors for attack and organisations have trained their staff to spot these messages in the inbox. On the mobile screen, the telltale signs of a phishing message are not as clear. Not only is the screen smaller, obscuring those signs, but fewer people are aware of the fact that a WhatsApp message or SMS can just as easily hide a malicious link or that a QR code could conceal something just as dangerous. People are generally more likely to click on a phishing link sent to a mobile device than to a desktop. In fact, the Zimperium 2023 Global Mobile threat Report found that people were anywhere between 6 to 10 times as likely to fall for an SMS phishing attack as they were for an email.
That’s just one potential attack vector but one that will threaten healthcare organisations in profound ways. Mobile phishing is now being used to compromise healthcare networks, steal information, deploy malware and otherwise paralyse organisations on which human health depends. From that point of view, these kinds of threats have to be viewed as more than threats to data, but threats to patients too. In 2024, The University of Minnesota Medical School released research examining hospital operations after a ransomware attack. The report’s authors found that after such an attack, patient mortality could increase by anywhere between 17 – 26%. While a ransomware attack can’t directly harm a patient, the administrative paralysis degrades hospital operations and ultimately leads to lethal outcomes.
Tedros Adhanom Ghebreyesus, Director-General of the World Health Organization (WHO) told the UN security council in late 2024: “Cyberattacks on hospitals and other health facilities are not just issues of security and confidentiality; they can be issues of life and death.”
From that point of view, a mobile breach could pose serious risks to the operation of a healthcare organisation, paralysing administration and literally endangering patient health. If the sector wants to enjoy the rewards of mobile device use, they’ll have to control the risks too.
