New La Trobe University research shows clinicians’ phones are a cybersecurity risk and sensitive patient data could be hacked or accidentally leaked.
The study found sensitive patient data was at a greater risk of being hacked or accidentally leaked from clinicians’ personal devices due to inadequate cybersecurity measures and a tendency for doctors to use their personal phones for medical purposes.
Dr Tafheem Wani, a La Trobe lecturer in Digital Health Information Management, led the study which was published in the December 2024 edition of The International Journal of Medical Informatics.
It showed clinicians’ phones (and other digital devices) contained sensitive patient information, which was not often protected by antivirus software and passcodes.
Dr Wani said the use of personal devices for work purposes, known as bring your own device (BYOD), had significantly increased in hospitals because clinicians needed efficiency and mobility while at work.
“Some clinicians, particularly doctors, work in several different hospitals, from public to private, and also in different health settings, so a ‘work phone’ does not make sense to them when working in a highly mobile environment,” Dr Wani said.
“Continuing to use personal devices without proper security measures means patient data is at high risk of being leaked or hacked.
“We found that patient data security depends on clinicians’ actions and security behaviour. BYOD devices may lack essential security measures such as antivirus software, passcodes and encryption.”
Dr Wani said clinicians may also have patient data stored together with their personal data, which could lead to inadvertently leaking confidential patient information to their family and friends.
“The main concerns are the risk of a malware intrusion into hospital networks leaving the sensitive data open to hackers; inadvertent patient data sharing; and overly complex security protocols implemented by hospitals, which often drive clinicians to adopt insecure workarounds,” Dr Wani said.
“We also found that hospitals lacked dedicated BYOD policies and training, resulting in unsafe practices.”
Dr Wani said to reduce the leaking of sensitive patient data, clinicians needed specialised BYOD security training, which should be promoted and incentivised by hospitals.
“This study emphasises the importance for hospitals to establish a strong cybersecurity culture with extensive communication between clinical and technical staff, where both data security and clinical productivity are treated as top priorities,” he said.
Dr Wani said this research offered actionable recommendations to guide hospitals in crafting secure and effective BYOD strategies.
“Addressing the cybersecurity risks posed by personal devices is critical for safeguarding patient data and maintaining trust in healthcare systems,” he said.
For this study, 14 interviews were conducted among Australian hospital-based clinicians, but Dr Wani said the problem was widespread.
He has led previous studies on the topic, which included a literature review to identify BYOD security issues and mitigation strategies in hospitals.
Dr Wani has also supervised surveys and interviews with IT managers, technology leaders, and policymakers in Australian hospitals to look at security practices, challenges in implementation, and other factors influencing BYOD decisions. The surveys were done in 28 healthcare services and hospitals covering more than 100 hospitals across Australia.
More reading
All phones in the US must be hearing aid compatible, say new FCC rules
World’s first Auracast-enabled pub and Audeara Buds launched in Brisbane