HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Phishing attacks in healthcare: How to protect your organization in 2025

Written by Lusanda Molefe | Dec 19, 2024 2:44:57 PM

According to a study in BMJ Health Care Informatics, 2-3% of email and internet traffic in healthcare organizations is flagged as suspicious, equating to over 50 million potentially malicious transactions each year.

Healthcare data has become an increasingly valuable target for cybercriminals, with medical records holding more value than credit card information. By 2016, phishing attacks had already affected over 70,000 patients. As healthcare organizations continue to digitize sensitive information, human error remains the most exploitable entry point for breaches.

 

What are phishing attacks?

The Cybersecurity and Infrastructure Security Agency (CISA) states,More than 90% of successful cyber-attacks start with a phishing email”. Phishing is a cyberattack where an attacker masquerades as a reputable entity to trick individuals into divulging sensitive information, transferring funds, or performing actions that benefit the attacker. 

These scams can occur via text messages (smishing), voice calls (vishing), social media comments, or phone calls, but email remains the most efficient and widely-used method for targeting victims. Spear-phishing, a targeted form of phishing, and whaling, which targets high-profile individuals, are variations of this tactic.

Related: Steps to protect against phishing attacks

 

Recent trends in phishing attacks

The Cofense Annual State of Email Security Report from 2024 revealed an 84.5% increase in malicious email threats bypassing secure email gateways for healthcare organizations. Credential phishing, which accounted for 91% of active threat reports, emerged as the leading attack method. 

This surge in sophisticated phishing campaigns has targeted healthcare workers, using techniques such as brand impersonation, vishing, and the increasing use of QR codes in phishing emails. These tactics were designed to bypass traditional email security solutions and trick individuals into revealing login credentials or sensitive information.

According to a public service announcement by the FBI, cybercriminals now leverage AI to create convincing text, images, audio, and videos that can evade traditional fraud detection systems. AI-powered text generation helps criminals craft social engineering and spear phishing messages that are grammatically flawless and more convincing, making them harder to detect. For visual deception, AI enables the generation of realistic profile photos, fake identification documents, and even deepfake videos, all of which deceive victims. 

Additionally, AI tools assist in developing fraudulent websites with embedded chatbots, translating messages to target international audiences, and producing synthetic content to boost the credibility of phishing schemes.

 

Protecting your organization

Multifactor authenticator: MFA adds extra security to your online accounts by requiring two or more forms of verification before granting access. This reduces the risk of hacking, as even if a password is compromised, the attacker can’t bypass the second authentication step.

It ensures that only authorized users can access accounts, offering stronger protection than just relying on a password. Implementing MFA can make an organization 99% less likely to get hacked, according to Microsoft.

Enhance email security: Organizations should implement a combination of filters and encryption. Email filters like spam, content, and domain filters can block suspicious or malicious emails, reducing exposure to phishing and malware. 

Multi-layered email security, including anti-phishing filters and machine learning tools, further strengthens defenses by detecting and blocking risky emails. Regularly updating filters and encryption protocols ensures ongoing protection against evolving threats, thus safeguarding sensitive information.

Phishing simulations and employee training: Phishing simulations simulate real-world attacks, allowing employees to practice identifying and reporting phishing attempts in a controlled environment. This helps reinforce awareness and improves response times when encountering actual phishing threats.

Additionally, ongoing employee training ensures that staff stay up-to-date with the latest phishing techniques and learn how to recognize suspicious emails, links, and attachments. Regular simulations and training foster a security-conscious workplace culture, reducing the likelihood of successful phishing attacks and improving overall cybersecurity resilience.


 

FAQs

How can I identify a phishing email?

Phishing emails often contain urgent messages, suspicious links, or attachments. They may use poor grammar and spelling, mimic legitimate companies, or ask for sensitive information. Always verify the sender's email address and be cautious of unsolicited messages.

 

What is the difference between phishing and spear-phishing?

Phishing is a general attack sent to many potential victims, often with generic content. Spear-phishing, however, targets specific individuals or departments with tailored messages that appear more credible and personal.

 

What should I do if I receive a suspicious email?

Do not click on any links or download attachments. Report the email to your IT department or use your email client's built-in reporting tool. Delete the email from your inbox.