Combating phishing in healthcare

Phishing attacks are fraudulent emails, text messages, phone calls, or websites designed to trick users into downloading malware, sharing sensitive information, or taking other actions that expose themselves or their organizations to cybercrime.

According to the Health Sector Cybersecurity Coordination Center, “Phishing is a common tactic for hackers to use against the health sector, because it often leads to data breaches, and the stolen health data has the potential to be lucrative for the attackers. In 2021, the Healthcare Information and Management Systems Society found that the most common attack impacting healthcare organizations was phishing, comprising almost half of all attacks.”

The anatomy of a phish

At its core, phishing is a form of social engineering in which attackers use human psychology and behavior to exploit vulnerabilities. By manipulating individuals' natural tendency to be helpful and trusting, phishers can gain access to sensitive information or lure unsuspecting victims into taking actions that benefit the attacker.

Read also: What is a phishing attack? 

The foundation of phishing

Social engineering is the art of exploiting human psychology to achieve a desired outcome. Attackers study human behavior, identifying patterns and vulnerabilities that they can exploit. They may pose as trusted individuals, such as colleagues or authority figures, to create a sense of familiarity and obligation, or they may use the power of urgency and scarcity to elicit a quick response.

Read more: What is social engineering? 

The impact of phishing

Recent data from the FBI's Internet Crime Complaint Center (IC3) reveals a troubling trend: phishing attacks now top the list of reported cybercrimes, with over 300,000 complaints. These schemes, proven by joint research from the Ponemon Institute and Proofpoint, have seen their financial impact quadruple between 2015 and 2021, with the average successful attack costing a staggering $14.8 million in 2021.

Phishing attacks pose severe risks, including identity theft, credit card fraud, ransomware, data breaches, and financial losses for individuals and organizations. Exploiting human error and using social engineering tactics, these attacks have proven highly effective, resulting in $57 million in losses for Americans in 2019 alone, with businesses facing even greater risks.

The phishing playbook

Phishing attacks come in various forms, each tailored to specific targets and objectives:

Email phishing

Email phishing remains the most common and widespread form of attack. Attackers craft messages that appear to be from legitimate sources, such as a coworker or a trusted organization, and use them to lure victims into clicking on malicious links or downloading infected attachments. The goal is often to harvest credentials or gain a foothold within the target's network.

Spear-phishing

Spear-phishing attacks target specific individuals or groups, often those with elevated access or authority within an organization. Attackers conduct extensive research to gather detailed information about their targets, allowing them to craft highly personalized and convincing messages that are more likely to bypass security measures.

Whaling

Whaling is a specialized form of spear-phishing that targets the highest-level executives within an organization, such as the CEO or CFO. Attackers may use tactics like tax-related scams or impersonation of trusted business partners to gain access to sensitive information or initiate fraudulent financial transactions.

Smishing and vishing

Phishing threats extend beyond email, with attackers exploiting text messages (smishing) and voice calls (vishing) to achieve their objectives. These attacks often use the same social engineering tactics, but the real-time nature of voice and text communication can make them more challenging to detect and mitigate.

The alarming scope of phishing in healthcare

Phishing attacks are increasingly targeting the healthcare industry, making it a prime focus for cybercriminals. IBM’s latest Cost of a Data Breach Report confirms this trend, revealing that healthcare has sustained the highest average data breach costs for 12 consecutive years. But why is this the case: 

The lure of healthcare data

Healthcare records contain a wealth of valuable information, from patient histories and financial data to insurance details and personal identities. This trove of sensitive information makes healthcare organizations a prime target for attackers, who can use the stolen data for identity theft, insurance fraud, and other malicious activities.

The perils of compromised access

Successful phishing attacks can grant attackers access to systems and infrastructure within healthcare organizations. This could enable them to disrupt operations, tamper with medical devices, or gain control over sensitive data, jeopardizing patient safety and the continuity of care.

The cascading consequences

The impact of a successful phishing attack in the healthcare industry can be far-reaching, affecting not only the targeted organization but also its patients, partners, and the broader community. Reputational damage, financial losses, and legal and regulatory consequences can all result from a single phishing incident.

Read more: How do email phishing attacks impact HIPAA compliance? 

Combating the phishing menace

Mitigating the threat of phishing in healthcare requires an approach that combines technological safeguards, employee education, and proactive incident response planning.

Fortifying the technological defenses

Implementing email security measures, such as spam filtering, domain authentication protocols, and advanced threat detection, can help intercept and block phishing attempts before they reach employees' inboxes. 

Empowering employees through education

Regular security awareness programs, simulated phishing exercises, and clear incident reporting protocols can equip employees with the knowledge and confidence to identify and respond to phishing threats.

Cultivating a culture of vigilance

Encouraging employees to be cautious, report suspicious activities, and continuously update their security practices can create a resilient defense against phishing.

Proactive incident response planning

Developing and regularly testing incident response plans can help healthcare organizations swiftly contain the impact of a successful phishing attack. This includes procedures for incident detection, investigation, containment, and recovery, as well as communication strategies to minimize reputational damage and maintain patient trust.

Related: Tips to spot phishing emails disguised as healthcare communication

Our suggestion: Paubox ExecProtect

This is a specialized email security solution designed to address targeted phishing attacks, often known as spear-phishing. Paubox ExecProtect works by specifically protecting executive-level email accounts, which are common targets for hackers due to their high-level access and authority. The system uses advanced algorithms and filters to detect and block phishing attempts, including those that use domain name spoofing, where attackers mimic a legitimate domain to trick recipients.

Learn more: HIPAA Compliant Email: The Definitive Guide

In the news

The groundbreaking settlement between the U.S. Department of Health and Human Services (HHS) and Lafourche Medical Group has captured attention as the first of its kind involving a phishing attack, impacting the confidential health data of 34,862 individuals. This milestone shows the severity of cyber threats such as phishing and the indispensable need for stringent HIPAA compliance to safeguard sensitive health information. 

Beyond the immediate data breach, phishing poses grave risks, including identity theft and reputational harm. Lafourche Medical Group's commitment to a $480,000 settlement and a corrective action plan signals a proactive stance in fortifying cybersecurity measures and preserving patient confidence. This event serves as a wake-up call for healthcare organizations to bolster their cyber defenses and preemptively address cyber threats.

FAQs

Does HIPAA apply to phishing attacks in healthcare?

Yes, phishing attacks in healthcare are subject to the regulations outlined in the Health Insurance Portability and Accountability Act (HIPAA). Any unauthorized access to patient information through phishing can lead to severe legal consequences and penalties.

What should I do if I suspect a phishing attempt?

Refrain from clicking on any links or providing personal information. Instead, the suspicious activity should be reported to the legitimate organization being impersonated.

How can I protect myself from phishing attacks?

Be cautious of unsolicited communications, verify the legitimacy of requests for personal information, and use security software to help identify potential threats.

What are some common examples of phishing attacks?

Examples include emails claiming to be from a bank requesting account details, fake websites mimicking legitimate login pages, and messages impersonating trusted companies requesting sensitive information.

What can I use to conduct phishing awareness training in healthcare organizations?

To enhance awareness and preparedness against phishing attacks in healthcare organizations, various tools and resources can be used, including simulated phishing platforms, employee training modules, cybersecurity awareness workshops, and regular security updates to keep staff informed about the latest phishing tactics and best practices for prevention.