Healthcare organizations have become prime targets for cybercriminals employing a wide range of phishing scams. These malicious techniques try to deceive individuals into revealing sensitive information, such as login credentials, financial details, or personal patient data.
With the healthcare industry's valuable patient records, it has become a lucrative playground for these cyber attackers.
In 2023, 50% of healthcare organizations experienced spear phishing attacks and despite its lower volume compared to other attack vectors, spear phishing was responsible for 66% of all recent healthcare data breaches, further stressing its impact on the sector.
At its core, phishing is a form of social engineering in which attackers use human psychology and behavior to exploit vulnerabilities. By manipulating individuals' natural tendency to be helpful and trusting, phishers can gain access to sensitive information or lure unsuspecting victims into taking actions that benefit the attacker.
Phishing attacks come in various forms, each tailored to specific targets and objectives:
BEC scams are advanced phishing attacks that target employees, often in finance or accounts departments, by impersonating high-level executives or authorized personnel. These scams typically request urgent fund transfers, changes to vendor details, or the disclosure of sensitive employee information, trying to trick unsuspecting staff into complying.
Credential harvesting phishing attacks focus on stealing usernames, passwords, and other login credentials to gain unauthorized access to healthcare systems. Attackers often create convincing replicas of legitimate login pages, such as electronic medical record portals or employee intranets, luring victims into providing their login details.
Malware-laden phishing emails are designed to trick recipients into downloading and executing malicious software. These emails may contain infected attachments or links to compromised websites, and successful breaches can compromise patient records, disrupt operations, or even endanger lives.
Spear phishing attacks are highly targeted campaigns that use personal information to tailor the attack to a specific individual or organization. Attackers conduct thorough research to gather data from public sources, social media platforms, or previous data breaches, crafting personalized and convincing phishing emails.
While phishing attacks are often associated with email, vishing attacks use voice communication to deceive victims. In healthcare organizations, vishing attacks may involve fraudulent phone calls impersonating medical staff, insurance providers, or government agencies, trying to obtain sensitive information.
Pharming attacks try to redirect users to malicious websites without their knowledge or consent. In healthcare organizations, these attacks can target patient portals or online payment systems, manipulating the domain name system (DNS) or compromising the organization's network infrastructure to redirect users to fake websites.
With the increasing use of mobile devices in healthcare, smishing attacks have become a growing concern. Smishing, or SMS phishing, involves sending fraudulent text messages to deceive users into providing sensitive information or clicking on malicious links, posing as patient inquiries, appointment reminders, or colleague messages.
Read more: What is a phishing attack?
As healthcare organizations rely more on digital systems to store and manage patient data, advanced cybersecurity measures have become mandatory. Protecting sensitive information and minimizing the impact of phishing attacks require a multi-layered defense strategy.
Implementing strong authentication protocols, such as multi-factor authentication (MFA) and encryption, can greatly reduce the risk of unauthorized access to healthcare systems. Authentication processes make it more challenging for attackers to compromise login credentials and gain entry to sensitive data.
Employee training and awareness programs equip healthcare staff with the knowledge and skills to identify and respond to phishing attempts. Educating employees on verifying email senders, scrutinizing suspicious links and attachments, and promptly reporting potential threats can create a strong security-conscious culture.
Implementing email filtering and antivirus software can help detect and block malware-laden phishing emails before they reach employees' inboxes. Regular software updates and patches to address known vulnerabilities further strengthen the organization's defenses against these threats.
With the growing reliance on mobile devices in healthcare, implementing mobile security solutions, such as anti-malware apps and SMS filtering, can help detect and block smishing attempts. Educating employees and patients about the risks of sharing sensitive information via text messages and the importance of verifying the authenticity of messages is also necessary.
Regularly conducting security audits and vulnerability assessments can help identify and address potential weaknesses in the healthcare organization's systems. This proactive approach allows for the implementation of targeted security measures to mitigate the risks posed by phishing attacks.
Read more: Combating phishing in healthcare
Phishing attacks can severely impact healthcare organizations' HIPAA compliance in several ways:
Phishing attacks have proven extremely costly for healthcare organizations, with some resulting in losses exceeding $100 million and severe damage to reputations.
In February 2014, Anthem Inc. suffered the largest healthcare data breach in history, which went undetected for a year. A phishing email led to malware installation, giving a nation-state actor access to the protected health information (PHI) of 78.8 million members. Anthem Inc. was fined $16 million by the Office for Civil Rights, settled a multi-state action with state attorneys general for $48.2 million, and settled a class action lawsuit with breach victims for $115 million.
In 2015, Premera Blue Cross reported a data breach affecting 10.4 million individuals. The breach, initially occurring in 2014, involved phishing emails that led to malware installation and went undetected for nine months. The Office for Civil Rights fined Premera Blue Cross $6.85 million. Additionally, Premera settled a multi-state action for $10 million and a class action lawsuit for $74 million.
In 2017, UnityPoint Health experienced a phishing attack compromising the PHI of 16,429 individuals. Despite measures to improve email security, a subsequent attack between March and April 2018 compromised the data of over 1.4 million patients, trying to divert payroll and vendor payments.
This is a specialized email security solution designed to address targeted phishing attacks, often known as spear-phishing. Paubox ExecProtect works by specifically protecting executive-level email accounts, which are common targets for hackers due to their high-level access and authority. The system uses advanced algorithms and filters to detect and block phishing attempts, including those that use domain name spoofing, where attackers mimic a legitimate domain to trick recipients.
Learn more: HIPAA Compliant Email: The Definitive Guide
The OCR announced a settlement with Lafourche Medical Group, a Louisiana-based group that specializes in occupational medicine, laboratory testing, and emergency medicine. The breach report was filed with the HHS in May of 2021, while the phishing attack was conducted in March of that year. According to the HHS, an unauthorized individual gained access to an email account that contained electronic protected health information (PHI), putting sensitive information of individuals at risk.
In a statement, OCR Director Melanie Fontes Rainer said, “Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information.”
“It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks,” she added.
See more: OCR settles landmark phishing case that affected 35,000 patients
Yes, phishing attacks in healthcare are subject to the regulations outlined in the Health Insurance Portability and Accountability Act (HIPAA). Any unauthorized access to patient information through phishing can lead to severe legal consequences and penalties.
Refrain from clicking on any links or providing personal information. Instead, the suspicious activity should be reported to the legitimate organization being impersonated.
Be cautious of unsolicited communications, verify the legitimacy of requests for personal information, and use security software to help identify potential threats.
Examples include emails claiming to be from a bank requesting account details, fake websites mimicking legitimate login pages, and messages impersonating trusted companies requesting sensitive information.
To enhance awareness and preparedness against phishing attacks in healthcare organizations, various tools and resources can be used, including simulated phishing platforms, employee training modules, cybersecurity awareness workshops, and regular security updates to keep staff informed about the latest phishing tactics and best practices for prevention.