Healthcare workers rely on technology for day-to-day and critical operations. As a result, personal device use within the industry has increased over the years. In 2023, reports show that the global mobile health market is expected to reach almost $300 billion by 2030. This growth has raised concerns about patient privacy and data security. Personal devices are attractive entry points for threat actors who want to access and/or steal protected healthcare information (PHI).
Vulnerabilities in all healthcare devices can have serious consequences for healthcare providers, patients, and their PHI. Given that such threats exist today, healthcare organizations need to understand more about personal device vulnerabilities and how to avoid the threat and/or the aftermath in case they do occur.
See also: HIPAA compliant email: The definitive guide (2025 update)
The Health Insurance Portability and Accountability Act (HIPAA) sets the rules and regulations surrounding access to and disclosure of PHI. The HIPAA Privacy Rule establishes the national standards to protect PHI, while the Security Rule creates a framework for the defense of electronic PHI (ePHI). To enhance data confidentiality, healthcare organizations must prioritize HIPAA compliance by using strong security measures.
HIPAA compliance promotes strong security, especially as data breaches in the healthcare industry increase. According to reports, the total number of individuals affected by healthcare data breaches from 2005 to 2019 was 249.09 million. Of these, 157.4 million individuals were impacted in the last five years alone. New accounts also show that healthcare data breaches exposed 275 million records in 2024.
Common examples of breaches that result in exposed PHI include accidental disclosure, theft, lost, or stolen devices, hacking incidents, and phishing/ransomware attacks. The two most widespread types of healthcare breaches are hacking/IT incidents and unauthorized internal disclosures or insider threats. No matter the type, a data breach can have far-reaching consequences and can cause serious accountability and responsibility issues for an organization.
The rapid adoption of technology in healthcare has expanded the attack surface of hospitals, providing opportunities for cyberattackers to break into health systems. While there is convenience to employing personal devices for work-related needs, the challenges that come from such use are problematic. Many healthcare organizations do not prioritize personal device cybersecurity, whether due to ability or costs.
A recent report from Verizon states that nearly half of security professionals suffered a mobile device-related compromise within the past year. Moreover, another analysis revealed that nearly 70% of breaches were due to the loss or theft of mobile devices. Other personal device vulnerabilities occur because of workers using unsecured Wi-Fi, falling for malware, and having poor device management.
Attackers exploit such weaknesses to access personal devices and an organization’s network to disrupt healthcare operations. Once in a system, a hacker can hunt for a wide range of sensitive information, starting with medical records that contain patient information, health histories, diagnoses, treatments, and medications.
Further info: Why unsupported software is a risk to healthcare organizations
To ensure the privacy and security of patient information, HIPAA regulates the use of mobile devices in healthcare. HIPAA requires healthcare organizations and individuals associated with them to implement specific security measures when using mobile technology to receive, transmit, or store ePHI.
While HIPAA does not have specific rules governing cell phone usage, the same overarching regulations apply. Healthcare providers, covered entities, and business associates can use mobile devices to access ePHI if appropriate physical, administrative, and technical safeguards are in place. This includes having business associate agreements (BAAs) with third-party service providers with access to ePHI.
More info: What are administrative, physical and technical safeguards?
There are several reasons that a personal device can be a security risk in healthcare. Smartphones, tablets, and wearable devices used by healthcare workers can store or transmit PHI, requiring careful management and security controls. The nature of technology creates ongoing compliance challenges.
For one thing, devices act as gateways to healthcare networks, making personal devices especially vulnerable to data breaches. They typically lack proper security, such as encryption, firewalls, and antivirus software. Second, employees tend to use their own devices for daily work-related tasks. Researchers stress the need for hospitals to implement technical and organizational measures, such as a Bring-Your-Own-Device (BYOD) program, to mitigate potential risks associated with device use in healthcare settings.
Furthermore, there is concern about potential loss, theft, or hacking. If a personal device falls into the wrong hands, sensitive patient information can be compromised. Additionally, the use of outdated operating systems, inadequate authentication practices, and shared devices exposes confidential information. Many healthcare organizations rely on devices that no longer support, or have never supported, security updates and patches.
Advocate Health Care (2013): Four personal computers storing the unencrypted PHI of 4.03 million patients were stolen.
Medical Infomatics Engineering (2015): An attack involving stolen credentials originated from a phishing attack on employee mobile devices.
University of Vermont Health Network (2020): A ransomware attack occurred after an employee accessed their personal email on a work device.
L’Assurance Maladie (2022): Attackers leveraged compromised credentials acquired through mobile devices.
Roswell Park Comprehensive Cancer Center (2024): An employee’s phone was stolen, which had access to a hospital email account.
While personal devices offer convenience and flexibility, they also pose significant security risks to healthcare organizations. Unlike in-house computers, personal devices often lack security measures such as encryption, firewalls, and antivirus software. One of the primary concerns is the potential loss or theft of mobile devices.
Once a smartphone or tablet connected to a healthcare network falls into the wrong hands, the risk of unauthorized access to sensitive information increases exponentially. Hackers more than likely will hold PHI for ransom or even sell the data on the dark web. They may also want to get into a system solely for creating havoc or harming individual patients.
Additionally, using devices with outdated operating systems or inadequate authentication practices or sharing personal devices with others further exposes confidential data to potential breaches and HIPAA violations. Mobile phones, tablets, and laptops serve as gateways to healthcare computing systems, making them vulnerable to data breaches and unauthorized access. Cyberattackers know healthcare organizations rely on electronics for operations, making them prime targets for cyberattacks and cybercrimes.
Learn about: Is sharing PHI on personal devices safe?
The reality is that personal device breaches can occur. When they do, healthcare organizations must know what to do to mitigate the situation. Healthcare providers need to continuously monitor their systems after a breach for anomalies and/or strange behavior. If an organization suspects that its system has been breached, it should identify and confirm the situation, then take steps to stop the leak of PHI.
Healthcare organizations can begin to reduce the impact of such breaches by having firm BYOD policies. Organizations must employ measures to halt potential harm, such as ensuring personal devices don’t store sensitive information and providing training to staff. They can continuously update and then implement more rigorous security measures to secure personal devices.
They should also conduct thorough security audits and compliance reviews to identify vulnerabilities further. After detection and investigation, organizations must follow the Breach Notification Rule and notify affected individuals, the government, and the media. Swift and transparent communication helps lessen the fallout and indicates an organization’s commitment to rectifying a breach and ensuring it does not occur again.
Dig Deeper:
HIPAA applies to any mobile device that stores, accesses, or transmits PHI. Healthcare providers must ensure these devices are secure to prevent unauthorized access.
Immediately report the incident to your compliance officer, activate any remote wipe capabilities, and follow your organization’s breach response protocol to limit exposure.
Use an MDM system or maintain a secure, up-to-date log of approved devices and authorized users to streamline tracking and access management.