Phishing in the Healthcare Industry is Real – And Can Have Grave Consequences

In the digital age, phishing attacks are becoming an increasing threat to businesses across multiple industries. This is even truer in the healthcare sector, and it’s easy to understand why. If it’s true that information really is power, clearly then, data on patient’s health histories as well as their financial and personal identification data, is enormously powerful. In fact, the trend of cybercriminals looking to acquire such data looks to be getting worse, rather than better.

It’s important, that not just those working in IT for healthcare but everyone – bearing in mind that each of us is a potential target – understands what’s involved in these threats, and what can be done by healthcare organizations to protect their data.

What is phishing?

Phishing is a relatively simple kind of cybercrime. It’s essentially an act of manipulation, where the attacker sends a legit-looking message by email, social network or SMS, pretending to be someone else. Typically, the message appears to be sent by a well-known company, such as PayPal or Amazon. In the message, the cybercriminal prompts their victim to carry out a task, such as clicking on a link or opening an attached file. If the target does click on the link, they will often be asked to input personal information, such as passwords or bank details, which could either be used directly by the cybercriminal or be sold on to another unscrupulous party.

Why healthcare?

Hackers choose their targets based on certain criteria. Sometimes, it’s even the case that they’re employed by a rival country’s government. Modern espionage involves more mouse clicks and keystrokes than physical infiltrations and secret agents. The purpose of hacking a healthcare organization, however, has an easy to understand motivation: money. The healthcare industry is valued at $1.668 trillion.

Another reason why healthcare is such a primary target is that organizations in the sector already have their hands tied up. Healthcare industry also collects an enormous amount of data. While laws like HIPAA try to protect patient privacy, including via cybersecurity measures, there’s a big bulls eye around health data. While some of these organizations have yet to realize the size of the problem they’re facing, cybercriminals are all too well aware of the opportunities that lie before them.

Healthcare and ID theft

Phishing attacks could even cost lives. A hacker, for example, could access a healthcare organization’s records and steal health insurance and social security information in order to get free healthcare for themselves. If they claim surgery, they’ll likely be asked numerous questions: anything from what allergies they have to their blood type and medication, which would then be added to the victim’s file. This may be different than the victim’s actual personal profile. As a result, the next time they require medical assistance, that falsely recorded information could prove literally fatal.

Phishing attacks in healthcare were rife in 2017, with attacks on organizations such as Kaleida Health and the Augusta University Medical Center, the latter of which fell foul to two phishing attacks within 12 months. The NHS in the UK was among the more high-profile cases in the industry as well, falling victim to a global ransomware attack which affected 40 NHS-related organizations. Each infected machine displayed a message which demanded a $300 ransom be paid by digital currency. The attack was a result of a single employee opening one attachment.

It should be obvious by now that there is no end for phishing in sight. The activity means too much, financially, to the perpetrators, and it is too hard to track down the source once an attack has taken place. Phishing attempts are inevitable in this day and age, but that doesn’t mean that we can’t avoid them by applying common sense and ensure a healthy level of scepticism when online. Providing employees with training would be useful in this regard. Conducting ongoing test phishing attacks to ensure that the training has had its desired effect would also be a useful exercise. Healthcare phishing attacks are unlikely to disappear any time soon. By ensuring that staff is trained and technical safeguards remain up to date, organizations in the sector will be placing themselves in a far better position to avoid falling prey to the next attack.