Healthcare phishing insights from the HIMSS Cybersecurity Survey

In today's healthcare landscape, data breaches remain a persistent and devastating threat, with social engineering, particularly phishing, serving as the main cause for compromises. According to Lee Kim, Senior Principal of Cybersecurity & Privacy at HIMSS, "Social engineering is the common root cause behind many security incidents in healthcare." While basic phishing awareness exists in many organizations, attackers now deploy a sophisticated and diverse range of tactics specifically crafted to exploit healthcare environments. The 2024 HIMSS Healthcare Cybersecurity Survey reveals this evolving attacker playbook, showing that generic awareness training no longer provides sufficient protection against today's targeted threats.

The survey data exposes a concerning reality that healthcare organizations face not just one type of phishing but a complex array of social engineering tactics. From traditional email phishing to more sophisticated approaches like business email compromise, SMS phishing, voice phishing, and even emerging deepfake technologies, attackers are continuously refining their methods to bypass security controls and exploit human vulnerabilities within healthcare settings. Understanding this diverse playbook can help healthcare organizations develop effective defensive strategies that protect sensitive patient data, clinical operations, and organizational integrity.

Learn more: Understanding email threats targeting healthcare

General email phishing still dominates

Despite the emergence of more sophisticated tactics, traditional email phishing remains the most common initial compromise vector, accounting for 63% of incidents according to the HIMSS survey. These attacks usually involve mass-distributed emails designed to trick recipients into clicking malicious links, downloading malware, or revealing credentials.

In healthcare environments, these attacks often leverage common scenarios that resonate with staff, like fake login pages for electronic health record systems or webmail portals, security alerts warning about supposed account compromises, fraudulent invoices from medical suppliers, or notifications disguised as coming from healthcare associations or regulatory bodies. One prevalent example involves emails impersonating electronic health record vendors announcing "critical updates" that require immediate login through a provided link.

The continued success of these attacks stems from several factors: 

• The sheer volume of attempts
• Healthcare staff who are often overworked and rushing through emails 
• Occasional gaps in technical filtering capabilities 
• The universal human tendencies toward curiosity and urgency. 

Even basic phishing attempts frequently serve as the initial gateway for more damaging attacks like ransomware deployments or network infiltration that can disrupt patient care and compromise sensitive data.

Targeted email attacks

Spear-phishing (34%)

Unlike general phishing campaigns, spear-phishing involves highly personalized emails targeting specific individuals or small groups within healthcare organizations. Attackers conduct investigations using LinkedIn profiles, social media accounts, provider directories, and organizational charts to craft convincing, contextually appropriate messages.

In healthcare settings, these attacks manifest in multiple ways like emails seemingly from colleagues referencing specific departmental projects or patients (using generic terms to avoid HIPAA violations while maintaining believability), messages impersonating IT support that mention known system issues within the organization; communications appearing to be from HR about benefits changes relevant to the recipient's employment status, or fake conference invitations tailored to the recipient's medical specialty.

Some effective healthcare spear-phishing tactics involve emails that appear to be from clinical leadership requesting urgent review of attached "patient data" for a quality improvement initiative. The attachment, when opened, deploys malware designed to access patient records or install ransomware.

Business email compromise (BEC) (31%)

Business email compromise represents a specialized type of spear-phishing focused on financial fraud or unauthorized data access. These attacks involve impersonating executives, trusted vendors, or partner organizations to manipulate recipients into performing unauthorized actions.

In healthcare contexts, BEC appears in various forms, like emails seemingly from the hospital CFO requesting an urgent wire transfer for a new equipment purchase to meet an "expiring discount", messages impersonating a department head asking for employee W-2 forms or patient lists for an "audit," fraudulent invoices sent from a compromised or spoofed vendor email address for medical supplies or services, or emails appearing to be from affiliated medical practices requesting patient information transfers.

The financial impact of BEC can be substantial. According to the FBI's Internet Crime Complaint Center (IC3), they tracked 21,489 BEC complaints in 2023 alone, resulting in losses exceeding USD $2.9 billion. As a study in the Journal of Cybersecurity and Privacy points out, the exploitation of trust and the creation of urgent scenarios are key characteristics of BEC attacks.

The Health Sector Cybersecurity Coordination Center (HC3) has identified several common BEC attack patterns in healthcare, including preliminary intelligence gathering that "significantly enhances the credibility and persuasiveness of subsequent attacks." An illustrative example occurred at Children's Healthcare of Atlanta in 2022, where attackers spoofed the email domain of a construction company involved in a campus project, successfully convincing the hospital to redirect payments totaling $3.6 million to a fraudulent account.

Whaling (16%)

Whaling targets the highest-value individuals within healthcare organizations, generally senior executives like the CEO, CFO, CMO, or CIO. These attacks convey extreme urgency or confidentiality to prompt actions that bypass normal verification procedures.

Healthcare whaling examples include emails seemingly from the hospital CEO to the CFO requesting immediate payment for a confidential acquisition or legal settlement, messages appearing to be from legal counsel demanding sensitive patient information related to a supposed urgent lawsuit, or communications impersonating board members requesting confidential strategy documents or financial forecasts.

According to the HC3 document, the effectiveness of whaling stems from the high status of the alleged sender and the perceived consequences of delaying action, which can lead recipients to bypass standard security protocols. For healthcare organizations, where hierarchical structures are often strongly observed, this psychological manipulation can be particularly effective.

The Google subpoena scam

A recent case reported by the New York Post illustrates how sophisticated phishing attacks continue to evolve. In April 2025, Google issued an urgent warning to its 3 billion Gmail users about a "sophisticated" phishing scam that was so convincing even technical experts were close to falling victim to it.

Ethereum developer Nick Johnson reported being targeted by "an extremely sophisticated phishing attack" that "exploits a vulnerability in Google's infrastructure." The scam arrived as an official-looking email claiming he had been hit with a subpoena tied to his Google account, and even appeared to come from a legitimate Google address.

What made this attack particularly dangerous was its use of Google's own infrastructure; the phishing site was hosted on sites.google.com rather than accounts.google.com, giving it an air of legitimacy that bypassed many users' normal suspicion. The email passed Google's DKIM (DomainKeys Identified Mail) check, meaning Gmail treated it like a legitimate message.

After clicking the link, users were directed to a convincing fake "support portal" with perfect duplicates of Google login pages, designed to harvest credentials. According to Johnson, "It even puts it in the same conversation as other, legitimate security alerts," further enhancing its believability.

While this specific example targeted Gmail users broadly, the same techniques could easily be adapted to target healthcare professionals, with fake subpoenas for patient records or regulatory notifications serving as effective lures.

Read more: DKIM replay attacks weaponize email authentication against users

Beyond the inbox

SMS phishing (Smishing) (34%)

SMS phishing, or "smishing," has emerged as a major threat, matching spear-phishing at 34% prevalence in the HIMSS survey. These attacks use text messages to deliver malicious links or solicit sensitive information, exploiting the perceived immediacy and higher trust associated with text messages compared to emails.

Healthcare-specific smishing examples include fake appointment confirmation texts with links to "update details" on a phishing site, alerts about prescription readiness requiring login to verify identity, messages pretending to be from insurance companies asking for verification via a malicious link, or texts offering COVID-19-related information or services linking to malware.

The effectiveness of smishing in healthcare environments stems from several factors like fewer technical controls for SMS compared to email, the common use of legitimate SMS for appointment reminders and health notifications, which conditions patients and staff to expect and trust these communications, and the small screen format of mobile devices, which makes identifying suspicious elements more difficult.

Vishing (Voice phishing) (17%)

Voice phishing uses phone calls, often leveraging Voice over IP (VoIP) spoofing to display trusted phone numbers, to deceive individuals into revealing information or performing unauthorized actions. The HIMSS survey reports this tactic in 17% of incidents.

In healthcare settings, vishing manifests as calls impersonating IT helpdesk personnel asking for user credentials to "fix an issue", calls pretending to be from medicare or insurance providers needing patient Social Security Numbers or dates of birth for verification, calls claiming to be regulatory investigators demanding immediate access to certain records, or urgent calls seemingly from senior staff requesting password resets or data transfers.

What makes vishing dangerous is how it exploits the inherent trust associated with voice communication and the difficulty in verifying caller identity in real-time, especially in busy clinical environments where staff are accustomed to urgent requests.

Social media phishing (19%)

Social media platforms serve both as investigation tools and attack vectors, with 19% of organizations reporting social media as an initial compromise point. Attackers use LinkedIn, Facebook, Twitter, and other platforms to gather information about healthcare staff and deliver attacks.

Common tactics include creating fake profiles of hospital recruiters or executives to connect with staff and gather information or send malicious links, sending direct messages with lures related to professional networking or healthcare events, and harvesting publicly available staff information to make email and spear-phishing attempts more convincing.

For healthcare organizations, where professional networking is common and staff often identify their employers publicly, social media presents a significant attack surface beyond the traditional security perimeter.

Deepfakes in healthcare phishing

While currently showing lower prevalence rates (Image 6%, Audio 4%, Video 3%), deepfakes – AI-generated synthetic media that convincingly mimics real people – represent an emerging high-impact threat to healthcare organizations.

In healthcare contexts, audio deepfakes might manifest as a voicemail seemingly from a senior physician authorizing an unusual purchase or patient data release, video deepfakes could appear in a manipulated clip used in a spear-phishing email to add legitimacy, or potentially as a deepfaked participant in a telehealth or administrative video call, while image deepfakes might include fake ID badges or manipulated profile pictures used in impersonation schemes.

The danger of deepfakes in healthcare stems from how they erode trust in digital communication and complicate traditional verification methods. When combined with other phishing tactics, they can create highly convincing scenarios that even vigilant staff might find difficult to identify as fraudulent. As one healthcare CISO noted in the HIMSS report, "The potential for misuse of AI-generated content in targeted phishing is something we're actively preparing for, even though we haven't seen widespread implementation yet."

FAQs

What is network infiltration?

Network infiltration refers to unauthorized access to an organization's computer systems or networks, usually after an initial compromise like a successful phishing attack. Once attackers gain access, they can move laterally through the network, escalate privileges, extract sensitive data, or deploy malware like ransomware. 

What are the most common initial indicators of a phishing attempt?

Common indicators include unexpected emails claiming urgent action is required, slight misspellings in sender domains or email addresses (like "healhtcare" instead of "healthcare"), generic greetings rather than using your name, grammatical errors or unusual phrasing, requests for sensitive information like credentials or financial data, suspicious attachments or links, and creating artificial time pressure.

How can healthcare staff verify suspicious communications?

Always use out-of-band verification for unusual requests, contact the alleged sender using a known phone number from your directory (not one provided in the suspicious message), verify in person when possible, or use established secure communication channels. For financial or data transfer requests, follow established protocols regardless of the apparent urgency or seniority of the requestor.