Social engineering attacks targeting the healthcare and public health (HPH) sector are becoming more sophisticated by using psychological manipulation and advanced technology to breach security. Based on insights from the U.S. Department of Health and Human Services (HHS) report, Social Engineering Attacks Targeting the HPH Sector, here’s a look at trends and recent cases shaping the sector’s approach to defense.
Healthcare saw a rise in phishing attacks in 2023, including SMS-based (smishing) and voice-based (vishing) attacks. Attackers used brand impersonation and QR code phishing to bypass Secure Email Gateways (SEGs). One common tactic involved sending fake messages from well-known companies and luring employees into revealing sensitive information. As attacks evolve to exploit multiple communication channels, SEGs alone may no longer provide adequate protection.
In late 2023, attackers increasingly targeted IT help desks by impersonating healthcare employees in need of tech support, often calling from local area codes to appear credible. Attackers would request an MFA reset under the pretense of a ‘broken phone,’ gaining access to financial systems to redirect payments. This method indicates how attackers exploit trusted internal processes to bypass digital defenses.
Early in 2024, deepfake technology was used to impersonate a chief financial officer in a high-stakes scam. Attackers convinced a finance employee to transfer $25 million by mimicking the CFO’s appearance and voice. This technique shows the risk of deepfakes in healthcare, where attackers could impersonate executives or doctors to deceive employees.
Attackers registered domains with minor misspellings of legitimate healthcare organizations to direct employees to fake login pages. By mimicking familiar URLs, attackers tricked employees into entering their credentials, which were then used to access systems. Training employees to verify URLs and proactively registering similar domains can help counteract this risk.
AI-driven tools like WormGPT and FraudGPT enable attackers to craft convincing phishing emails and manipulate real-time audio. Research has shown how malicious AI could distort live phone conversations, potentially leading to dangerous misinformation. For healthcare, these developments indicate the need for multi-layered verification processes.
To defend against these sophisticated social engineering tactics, healthcare organizations should adopt a multifaceted approach combining employee training, technical defenses, and policy improvements:
Going deeper:
Social engineering is a tactic used by cybercriminals to manipulate individuals into divulging confidential information or performing actions that compromise security. In healthcare, social engineering exploits trust and human psychology to gain unauthorized access to patient data, medical systems, or financial information.
Social engineering is a big threat because it targets the human element, which is often the weakest link in cybersecurity defenses. By exploiting trust, deception, or fear, attackers can trick healthcare employees into disclosing sensitive information, clicking on malicious links, or transferring funds, leading to breaches of patient confidentiality, financial losses, and disruptions in healthcare services.
Social engineering impacts HIPAA compliance by increasing the risk of unauthorized access to protected health information (PHI). If attackers successfully manipulate staff through social engineering tactics, they can gain access to PHI, leading to potential data breaches and violations of HIPAA’s security and privacy rules.
Learn more: HIPAA Compliant Email: The Definitive Guide