Social engineering attacks targeting the healthcare and public health (HPH) sector are becoming more sophisticated by using psychological manipulation and advanced technology to breach security. Based on insights from the U.S. Department of Health and Human Services (HHS) report, Social Engineering Attacks Targeting the HPH Sector, here’s a look at trends and recent cases shaping the sector’s approach to defense.
Rise of phishing, vishing, and smishing
Healthcare saw a rise in phishing attacks in 2023, including SMS-based (smishing) and voice-based (vishing) attacks. Attackers used brand impersonation and QR code phishing to bypass Secure Email Gateways (SEGs). One common tactic involved sending fake messages from well-known companies and luring employees into revealing sensitive information. As attacks evolve to exploit multiple communication channels, SEGs alone may no longer provide adequate protection.
IT help desk targeting through vishing
In late 2023, attackers increasingly targeted IT help desks by impersonating healthcare employees in need of tech support, often calling from local area codes to appear credible. Attackers would request an MFA reset under the pretense of a ‘broken phone,’ gaining access to financial systems to redirect payments. This method indicates how attackers exploit trusted internal processes to bypass digital defenses.
Deepfake technology in financial fraud
Early in 2024, deepfake technology was used to impersonate a chief financial officer in a high-stakes scam. Attackers convinced a finance employee to transfer $25 million by mimicking the CFO’s appearance and voice. This technique shows the risk of deepfakes in healthcare, where attackers could impersonate executives or doctors to deceive employees.
Typosquatting and look-alike domains
Attackers registered domains with minor misspellings of legitimate healthcare organizations to direct employees to fake login pages. By mimicking familiar URLs, attackers tricked employees into entering their credentials, which were then used to access systems. Training employees to verify URLs and proactively registering similar domains can help counteract this risk.
The role of advanced AI models
AI-driven tools like WormGPT and FraudGPT enable attackers to craft convincing phishing emails and manipulate real-time audio. Research has shown how malicious AI could distort live phone conversations, potentially leading to dangerous misinformation. For healthcare, these developments indicate the need for multi-layered verification processes.
Strengthening defenses
To defend against these sophisticated social engineering tactics, healthcare organizations should adopt a multifaceted approach combining employee training, technical defenses, and policy improvements:
- Employee training: Regularly educate staff on recognizing social engineering methods, including phishing, vishing, and deepfake tactics, and encourage verification practices.
- Multi-factor authentication (MFA): MFA can prevent unauthorized access even when credentials are compromised, serving as a defense against attacks that exploit login information.
- Incident response planning: A clear response plan can minimize the damage from an attack, outlining steps for reporting, containing, and investigating social engineering incidents.
- Advanced monitoring and detection: Real-time monitoring for unusual network activity helps detect early signs of social engineering attempts, providing valuable time to respond.
Going deeper:
FAQs
What is social engineering and how does it relate to healthcare security?
Social engineering is a tactic used by cybercriminals to manipulate individuals into divulging confidential information or performing actions that compromise security. In healthcare, social engineering exploits trust and human psychology to gain unauthorized access to patient data, medical systems, or financial information.
Why is social engineering a significant threat to healthcare organizations?
Social engineering is a big threat because it targets the human element, which is often the weakest link in cybersecurity defenses. By exploiting trust, deception, or fear, attackers can trick healthcare employees into disclosing sensitive information, clicking on malicious links, or transferring funds, leading to breaches of patient confidentiality, financial losses, and disruptions in healthcare services.
How does social engineering impact HIPAA compliance?
Social engineering impacts HIPAA compliance by increasing the risk of unauthorized access to protected health information (PHI). If attackers successfully manipulate staff through social engineering tactics, they can gain access to PHI, leading to potential data breaches and violations of HIPAA’s security and privacy rules.
Learn more: HIPAA Compliant Email: The Definitive Guide
Farah Amod
