Can Your Phone Be Tracked Without You Knowing?

Phone tracking is more common and more accessible than most people realize. For senior living operators, the stakes are higher than personal privacy. Executive directors, Directors of Nursing (DONs), and clinical staff carry phones that contain resident medical charts, family contact information, eMAR alerts, email with Protected Health Information (PHI), and often banking and payroll access. A compromised phone is not just a personal inconvenience. It is a potential data breach. Phone compromise is one of several mobile threats covered in our complete cybersecurity guide for senior living.

How Phone Tracking Works

There are several methods that bad actors use to monitor a phone without the owner's knowledge.

• Spyware apps. Commercial surveillance software can be installed in minutes if someone has brief physical access to your phone. These apps run silently in the background, recording calls, capturing text messages, logging keystrokes, and transmitting location data. The FTC has taken enforcement action against companies selling this type of software.
• Phishing links. A single tap on a malicious link in a text message or email can install tracking software without any visible indication. Phishing attacks surge during predictable seasonal windows, and these mobile-targeted campaigns are increasingly sophisticated, often impersonating trusted contacts or services.
• Location sharing exploits. Many apps request location permissions that users grant without reviewing. Some of these apps share location data with third parties continuously.
• Stalkerware. A category of commercially available software specifically designed to monitor another person's phone. It is marketed for "parental monitoring" but is routinely used for unauthorized surveillance.

Why This Matters for Senior Living

The phones carried by senior living staff are not just personal devices. They are access points to sensitive systems. A compromised phone can expose emails containing resident medical data, passwords to clinical and financial systems, and banking credentials. Once those credentials are exposed, attackers use them to access systems as legitimate users. Under the Health Insurance Portability and Accountability Act (HIPAA), unauthorized access to PHI through a compromised device constitutes a reportable breach.

According to Verizon's Data Breach Investigations Report, the average data breach costs small businesses approximately $120,000. For a senior living community, that figure does not account for the regulatory penalties, family trust damage, and operational disruption that follow.

Signs Your Phone May Be Compromised

• Unusual battery drain. Surveillance software runs continuously in the background, consuming significantly more power than normal usage.
• Unexpected data usage spikes. Tracking apps transmit data regularly. A sudden increase in cellular data usage with no change in your habits warrants investigation.
• Phone runs hot when idle. If your phone is warm to the touch when you have not been using it, background processes may be running that should not be.
• Unfamiliar apps or processes. Check your installed applications regularly. Spyware sometimes appears as a generic utility or system process.
• Background noise on calls. Clicking, static, or echo during phone calls can indicate call interception, though network issues can also cause similar symptoms.

What Is Mobile Device Management and Why Does Senior Living Need It?

Mobile Device Management (MDM) is a technology platform that allows an organization to enforce security policies on every phone, tablet, and laptop that accesses its systems. For senior living communities, MDM is not a luxury feature. It is a HIPAA compliance requirement in practice, even though the regulation does not mention MDM by name.

HIPAA's Security Rule requires administrative, physical, and technical safeguards for any device that accesses electronic Protected Health Information (ePHI). Specifically, organizations must include mobile devices in their risk analysis, configure apps and services to reduce risks to a reasonable level, train workforce members on appropriate device use, and install remote lock and remote wipe capabilities on devices that store or access ePHI.

MDM delivers these requirements through a single management platform. With MDM in place, your IT provider can enforce device encryption so that a lost phone does not expose resident data. They can require strong PINs or biometric authentication before the device unlocks. They can restrict which applications are allowed to access work email and clinical systems. They can remotely wipe all organizational data from a device that is lost, stolen, or belongs to an employee who has left the organization. And they can monitor compliance status across every enrolled device in real time.

The scale of the risk justifies the investment. Research indicates that mobile devices are involved in 48 percent of healthcare data breaches. With 85 percent of healthcare workers using personal devices for work-related tasks, the attack surface in a typical senior living community extends well beyond the computers sitting on desks in the front office.

What Should Your Organization's Mobile Device Policy Include?

A written mobile device policy is the foundation of organizational device security. Without one, your community is relying on individual employees to make security decisions that have regulatory and legal consequences for the entire organization. An effective policy should address the following areas.

• Device eligibility and registration. Define which devices are permitted to access organizational systems. Require all devices, whether company-issued or personal, to be registered with your IT department before they can connect to work email, clinical applications, or internal networks.
• Acceptable use boundaries. Specify what types of data can and cannot be stored on mobile devices. Resident health records, family contact information, and financial data should never be stored locally on a personal phone without encryption and MDM enrollment.
• Authentication requirements. Require MFA for all applications that contain or provide access to PHI. Require a minimum PIN length or biometric lock on every enrolled device. Set an automatic lock timeout of no more than five minutes of inactivity.
• Lost or stolen device procedures. Document the exact steps an employee must follow if their device is lost or stolen, including who to notify, the timeline for reporting (immediately, not the next business day), and the authorization for IT to perform a remote wipe.
• Separation of personal and work data. If your community allows Bring Your Own Device (BYOD), require containerization that separates work applications and data from personal content. When an employee leaves, IT should be able to wipe the work container without touching personal photos, messages, or apps.
• Network access restrictions. Personal devices should connect to a guest network, not the same network segment that carries clinical traffic, nurse call data, or payment processing. Network segmentation is a PCI DSS requirement and a HIPAA best practice.
• Compliance monitoring and enforcement. Define what happens when a device falls out of compliance, such as a missing operating system update or a disabled PIN. The policy should specify automatic enforcement actions: warn the user, restrict access, or quarantine the device until compliance is restored.

What Are Five Steps to Protect Yourself and Your Organization?

1. Run a security scan. Use a reputable mobile security application to scan for known spyware and stalkerware. Both Android and iOS have options from established security vendors. For organizational devices, deploy a mobile threat defense solution that scans continuously rather than on demand.
2. Audit app permissions. Review which apps have access to your location, microphone, camera, and contacts. Revoke permissions for any app that does not need them to function. At the organizational level, use MDM to restrict which apps can be installed on enrolled devices and block apps with known privacy or security risks.
3. Keep devices updated. Operating system updates patch known vulnerabilities that tracking software exploits. Delaying updates leaves those vulnerabilities open. For organizational devices, use MDM to enforce update deadlines. Devices that fall behind on updates by more than 30 days should lose access to clinical systems until they are current.
4. Factory reset if compromised. If you have reason to believe a device has been compromised, a factory reset removes most spyware. Back up your data first, then restore only from a clean backup. For organizational devices, IT should initiate the wipe remotely and supervise the restoration to ensure no compromised applications are reinstalled.
5. Implement MDM and enforce your mobile device policy. Enable biometric authentication, use a strong PIN, and configure devices to auto-lock after a short period of inactivity. Deploy MDM across all devices that access organizational systems. Enforce encryption, remote wipe capability, and containerization for BYOD devices. Review enrolled device compliance reports monthly and address non-compliant devices immediately.

The devices your team carries every day are both essential tools and potential vulnerabilities. Securing them is not optional when those devices access resident health information. An organizational approach, combining a written mobile device policy, MDM enforcement, and ongoing employee training, is the only way to manage mobile risk at scale.

Related Reading

• How Hackers Are Getting Into Senior Living Communities. -- Phone compromise is one of several identity-based attack vectors targeting senior living.
• A Senior Living Operator Was Breached in March. -- What a real attack looks like when it reaches a senior living portfolio.