On top of caring for patients and helping them battle illnesses, nowadays, healthcare professionals have one additional task on their already lengthy daily to-do lists: contend with cybercriminals. In this article, we dive into one of the most prevalent cyberattacks that target healthcare workers — phishing — and some helpful tips on identifying and thwarting phishing attacks to keep employee and patient data safe.
Phishing attacks targeting healthcare workers and organizations
What is phishing?
Phishing is a kind of social engineering attack that attempts to trick people into giving away their sensitive data, such as their banking information, email or system login credentials, or other personally identifiable information (PII).
Phishing attacks are usually done via email, messages, or phone calls, and leverage human error, fraudulent stories, and manipulation techniques. In this kind of attack, malicious actors pretend to be someone the victim deems to be reputable or trustworthy, prompting the victim to share sensitive information unwittingly by clicking on malicious links leading to fraudulent websites or by unknowingly downloading credential-stealing malware on their machines.
Unfortunately, phishing attacks can lead to other cybercrimes, such as identity theft, data breaches, and ransomware attacks. These cybercrimes can cause great damage to businesses including business disruption, financial loss, and reputational damage.
Noteworthy phishing attacks in the healthcare sector
A phishing attack that targeted the employees of Presbyterian Healthcare Services caused the exposure of the personal information of 183,000 patients and health plan members in 2019. The employees who fell for the monthlong phishing scheme unwittingly gave malicious actors access to their email accounts and the information of patients and health plan members, including their full names, dates of birth, Social Security numbers, and clinical/health plan data.
In 2022, the Department of Health and Human Services Cybersecurity Coordination Center Alert warned healthcare providers that cybercriminals were targeting them in a widespread phishing campaign. Threat actors send phishing emails with a malicious link that leads to a fake Evernote webpage to steal sensitive credentials.
The phishing email is specifically crafted to capture the attention of healthcare organizations and workers, including a personalized email subject that includes the organization’s name and the phrase “business review.” In the email body, malicious actors included a malicious link that when clicked, leads the victim to a fake Evernote webpage. On the fake webpage, the victim is instructed to download a malicious HTML file, which is actually a phishing malware that includes a JavaScript code that steals credentials for Outlook, IONOS, AOL, and other platforms.
How to recognize and defend against phishing attacks
It’s important to know how to spot phishing emails when they arrive in your inbox so you can avoid the headaches as well as the financial and reputational damage that come with data breaches
What healthcare employees can do to identify and avoid phishing attacks
1. Be wary of unexpected emails from trustworthy sources. An email that includes an invoice with an astronomical fee that you don’t recognize or asks you to register to a site to get a sizeable government refund is highly likely a phishing attempt.
2. Watch out for urgent or emotionally appealing subject lines and email body content. Cybercriminals will attempt to pressure you into immediately providing sensitive information by making their email appear time-sensitive and critical.
3. Check the sender’s information. If the sender purports to be coming from your bank, but the email address is a generic Gmail email account and not a corporate account, it’s probably a scam. Double-check the spelling of the company domain, too. For example, some cybercriminals will use a domain name that appears to resemble a legitimate company’s name but is slightly misspelled, such as “@chaase.com” or “@cltybank” (the latter example uses a small “l” instead of the letter “i”).
4. Confirm instructions via other means. If you receive an urgent email from your supervisor asking you to send sensitive information via email or an email from the finance department asking for your bank information, call them first to ask if they really did send the emails.
What healthcare organizations can do to protect patient and employee data against phishing attacks
1. Get robust security solutions. Keep threats at bay by getting security solutions that will protect your organization from cyberattacks and risks.
2. Conduct regular cybersecurity training sessions for employees. When healthcare employees are aware of ever-changing phishing tactics and techniques, they’ll be better at spotting them and not falling for them. It’s also a good idea to conduct phishing simulations and educate employees on what to do when they receive phishing emails.
3. Use strong email filters. Block spam and potentially malicious emails before they reach your employees’ inboxes.
4. Require multi-factor authentication (MFA). Doing so will help organizations block unauthorized access to critical accounts and systems, protect sensitive data, and comply with HIPAA.
