Phishing scams used to attack healthcare organizations

Healthcare organizations have become prime targets for cybercriminals employing a wide range of phishing scams. These malicious techniques try to deceive individuals into revealing sensitive information, such as login credentials, financial details, or personal patient data. With the healthcare industry's valuable patient records, it has become a lucrative playground for these cyber attackers. In 2023, 50% of healthcare organizations experienced spear phishing attacks and despite its lower volume compared to other attack vectors, spear phishing was responsible for 66% of all recent healthcare data breaches, further stressing its impact on the sector.

Understanding the anatomy of phishing attacks

At its core, phishing is a form of social engineering in which attackers use human psychology and behavior to exploit vulnerabilities. By manipulating individuals' natural tendency to be helpful and trusting, phishers can gain access to sensitive information or lure unsuspecting victims into taking actions that benefit the attacker.

Phishing attacks come in various forms, each tailored to specific targets and objectives:

Business email compromise (BEC) scams

BEC scams are advanced phishing attacks that target employees, often in finance or accounts departments, by impersonating high-level executives or authorized personnel. These scams typically request urgent fund transfers, changes to vendor details, or the disclosure of sensitive employee information, trying to trick unsuspecting staff into complying.

Credential harvesting phishing attacks

Credential harvesting phishing attacks focus on stealing usernames, passwords, and other login credentials to gain unauthorized access to healthcare systems. Attackers often create convincing replicas of legitimate login pages, such as electronic medical record portals or employee intranets, luring victims into providing their login details.

Malware-laden phishing emails

Malware-laden phishing emails are designed to trick recipients into downloading and executing malicious software. These emails may contain infected attachments or links to compromised websites, and successful breaches can compromise patient records, disrupt operations, or even endanger lives.

Spear phishing attacks

Spear phishing attacks are highly targeted campaigns that use personal information to tailor the attack to a specific individual or organization. Attackers conduct thorough research to gather data from public sources, social media platforms, or previous data breaches, crafting personalized and convincing phishing emails.

Vishing attacks

While phishing attacks are often associated with email, vishing attacks use voice communication to deceive victims. In healthcare organizations, vishing attacks may involve fraudulent phone calls impersonating medical staff, insurance providers, or government agencies, trying to obtain sensitive information.

Pharming attacks

Pharming attacks try to redirect users to malicious websites without their knowledge or consent. In healthcare organizations, these attacks can target patient portals or online payment systems, manipulating the domain name system (DNS) or compromising the organization's network infrastructure to redirect users to fake websites.

Mobile phishing attacks

With the increasing use of mobile devices in healthcare, smishing attacks have become a growing concern. Smishing, or SMS phishing, involves sending fraudulent text messages to deceive users into providing sensitive information or clicking on malicious links, posing as patient inquiries, appointment reminders, or colleague messages.

Read more: What is a phishing attack? 

Defending against the phishing onslaught

As healthcare organizations rely more on digital systems to store and manage patient data, advanced cybersecurity measures have become mandatory. Protecting sensitive information and minimizing the impact of phishing attacks require a multi-layered defense strategy.

Strengthening authentication processes

Implementing strong authentication protocols, such as multi-factor authentication (MFA) and encryption, can greatly reduce the risk of unauthorized access to healthcare systems. Authentication processes make it more challenging for attackers to compromise login credentials and gain entry to sensitive data.

Fostering a security-conscious culture

Employee training and awareness programs equip healthcare staff with the knowledge and skills to identify and respond to phishing attempts. Educating employees on verifying email senders, scrutinizing suspicious links and attachments, and promptly reporting potential threats can create a strong security-conscious culture.

Enhancing email security

Implementing email filtering and antivirus software can help detect and block malware-laden phishing emails before they reach employees' inboxes. Regular software updates and patches to address known vulnerabilities further strengthen the organization's defenses against these threats.

Securing mobile devices

With the growing reliance on mobile devices in healthcare, implementing mobile security solutions, such as anti-malware apps and SMS filtering, can help detect and block smishing attempts. Educating employees and patients about the risks of sharing sensitive information via text messages and the importance of verifying the authenticity of messages is also necessary.

Conducting regular security assessments

Regularly conducting security audits and vulnerability assessments can help identify and address potential weaknesses in the healthcare organization's systems. This proactive approach allows for the implementation of targeted security measures to mitigate the risks posed by phishing attacks.

Read more: Combating phishing in healthcare 

How do phishing attacks affect healthcare organizations' HIPAA compliance?

Phishing attacks can severely impact healthcare organizations' HIPAA compliance in several ways:

• Initial breach through phishing email: A phishing email tricks an employee into clicking a malicious link, opening an attachment, or revealing sensitive information such as login credentials.
• Unauthorized access to PHI: Once the attacker has access, they can steal or manipulate protected health information (PHI), violating HIPAA’s privacy rule, which mandates the protection of patient data.
• Installation of malware or ransomware: Phishing attacks may install malware or ransomware, compromising the integrity and availability of PHI, both of which are protected under HIPAA.
• Disruption to healthcare operations: Such attacks can disrupt healthcare services, leading to delayed or compromised patient care, and further HIPAA non-compliance regarding patient safety and care quality.
• Risk assessment failure: HIPAA’s security rule requires regular risk assessments and security measures to protect electronic PHI (ePHI). A phishing attack may indicate a failure in these measures, highlighting non-compliance.
• Notification and reporting breaches: HIPAA mandates reporting breaches involving PHI. Failure to report breaches in a timely manner results in additional non-compliance.
• Mandatory remediation efforts: After an attack, organizations must address vulnerabilities, enhance security measures, and regain compliance, often requiring substantial financial and operational resources.

Costly examples of phishing attacks on healthcare organizations

Phishing attacks have proven extremely costly for healthcare organizations, with some resulting in losses exceeding $100 million and severe damage to reputations.

Anthem Inc.

In February 2014, Anthem Inc. suffered the largest healthcare data breach in history, which went undetected for a year. A phishing email led to malware installation, giving a nation-state actor access to the protected health information (PHI) of 78.8 million members. Anthem Inc. was fined $16 million by the Office for Civil Rights, settled a multi-state action with state attorneys general for $48.2 million, and settled a class action lawsuit with breach victims for $115 million.

Premera Blue Cross

In 2015, Premera Blue Cross reported a data breach affecting 10.4 million individuals. The breach, initially occurring in 2014, involved phishing emails that led to malware installation and went undetected for nine months. The Office for Civil Rights fined Premera Blue Cross $6.85 million. Additionally, Premera settled a multi-state action for $10 million and a class action lawsuit for $74 million.

UnityPoint Health

In 2017, UnityPoint Health experienced a phishing attack compromising the PHI of 16,429 individuals. Despite measures to improve email security, a subsequent attack between March and April 2018 compromised the data of over 1.4 million patients, trying to divert payroll and vendor payments.

Our suggestion: Paubox ExecProtect

This is a specialized email security solution designed to address targeted phishing attacks, often known as spear-phishing. Paubox ExecProtect works by specifically protecting executive-level email accounts, which are common targets for hackers due to their high-level access and authority. The system uses advanced algorithms and filters to detect and block phishing attempts, including those that use domain name spoofing, where attackers mimic a legitimate domain to trick recipients.

Learn more: HIPAA Compliant Email: The Definitive Guide

In the news

The OCR announced a settlement with Lafourche Medical Group, a Louisiana-based group that specializes in occupational medicine, laboratory testing, and emergency medicine. The breach report was filed with the HHS in May of 2021, while the phishing attack was conducted in March of that year. According to the HHS, an unauthorized individual gained access to an email account that contained electronic protected health information (PHI), putting sensitive information of individuals at risk. 

In a statement, OCR Director Melanie Fontes Rainer said, “Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information.” 

“It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks,” she added. 

See more: OCR settles landmark phishing case that affected 35,000 patients 

FAQs

Does HIPAA apply to phishing attacks in healthcare?

Yes, phishing attacks in healthcare are subject to the regulations outlined in the Health Insurance Portability and Accountability Act (HIPAA). Any unauthorized access to patient information through phishing can lead to severe legal consequences and penalties.

What should I do if I suspect a phishing attempt?

Refrain from clicking on any links or providing personal information. Instead, the suspicious activity should be reported to the legitimate organization being impersonated.

How can I protect myself from phishing attacks?

Be cautious of unsolicited communications, verify the legitimacy of requests for personal information, and use security software to help identify potential threats.

What are some common examples of phishing attacks?

Examples include emails claiming to be from a bank requesting account details, fake websites mimicking legitimate login pages, and messages impersonating trusted companies requesting sensitive information.

What can I use to conduct phishing awareness training in healthcare organizations?

To enhance awareness and preparedness against phishing attacks in healthcare organizations, various tools and resources can be used, including simulated phishing platforms, employee training modules, cybersecurity awareness workshops, and regular security updates to keep staff informed about the latest phishing tactics and best practices for prevention.