HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Social engineering threats in healthcare

Written by Tshedimoso Makhene | Oct 3, 2024 3:36:01 PM

Social engineering, or when users are manipulated to reveal data by threat actors, is a major threat to healthcare. According to the Carahsoft 2021 HIMSS Healthcare Cybersecurity Survey, socially engineered phishing attacks accounted for 45% of security incidents in healthcare systems. In 2023, healthcare organizations encountered a 279% increase in business email compromise (BEC) incidents, proving the frequency and impact of these tactics in the industry.

 

Understanding the threat

The healthcare sector's reliance on digital systems and the high value of medical records has made it an attractive target for malicious actors. From phishing scams and impersonation to advanced social engineering ploys, cybercrimes are growing increasingly sophisticated. These threats compromise data privacy and disrupt healthcare services, leading to delayed operations, lawsuits, and more

 

Phishing attacks

Phishing attacks are an increasing concern in the healthcare industry. Threat actors use personalized emails, spoofed websites, and social media platforms to lure employees into divulging sensitive login credentials or installing malware. A successful phishing campaign can lead to cybercriminals accessing patient records and financial data, and potentially gaining control over medical devices.

In February 2023, Highmark Health, the second largest integrated delivery and financing system in the U.S., was hit by a socially engineered phishing attack affecting around 300,000 individuals. The breach occurred on December 15, 2022, when a Highmark employee clicked on a malicious link that granted unauthorized access to their email account for a span of two days.

 

Impersonation tactics

Healthcare professionals often find themselves on the receiving end of fraudulent impersonation schemes. Malicious actors may pose as patients, vendors, or even fellow colleagues to gain unauthorized access to sensitive information or systems.

In January 2024, the American Hospital Association (AHA) uncovered a social engineering scam targeting IT help desks. The scheme involves using stolen identities of employees in financial roles to reset passwords and enroll new devices for multi-factor authentication (MFA). The threat actor accessed email accounts and change payment instructions, diverting funds to fraudulent accounts.

 

Social engineering scams

Beyond phishing and impersonation, cybercriminals employ a wide range of sophisticated social engineering tactics to infiltrate healthcare organizations. These include using social media platforms to gather intelligence, exploiting employee vulnerabilities through emotional manipulation, and even using physical access to sensitive areas through tailgating or other covert means.

 

The intersection of technology and human factors

While technological advancements have transformed healthcare, they have also introduced new vulnerabilities. The increased reliance on interconnected medical devices, cloud-based data storage, and remote access solutions has expanded the attack surface, making it necessary for healthcare organizations to address both technological and human factors in their cybersecurity strategies.

 

Insider threats

Healthcare institutions often grapple with the challenge of insider threats, where trusted insiders, whether malicious or inadvertent, can compromise sensitive data and systems. Insider threats may occur from disgruntled employees, contractors with access to systems, or even well-meaning staff who fall victim to social engineering ploys.

 

Regulatory compliance and cybersecurity challenges

The healthcare industry is subject to stringent regulatory frameworks, such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States, which mandate data privacy and security measures. Working through these complex compliance requirements while simultaneously addressing cyber threats can be a daunting task for healthcare organizations.

 

Cultivating a culture of cybersecurity awareness

Empowering healthcare personnel with security awareness training is a fundamental component of any effective cybersecurity strategy. By fostering a culture of vigilance and proactive risk mitigation, organizations can equip their workforce to recognize and respond appropriately to social engineering attempts, ultimately strengthening the overall security posture.

 

Technological safeguards

Implementing advanced security technologies, such as multi-factor authentication, endpoint detection and response (EDR) solutions, and security information and event management (SIEM) systems, can bolster the defenses against social engineering threats. These tools help detect, prevent, and respond to suspicious activities, providing an additional layer of protection for healthcare organizations.

 

Incident response and resilience planning

In the event of a successful social engineering attack, an incident response plan can mean the difference between a contained incident and a catastrophic data breach. Healthcare organizations must prioritize the development of incident response protocols, ensuring seamless coordination and effective recovery measures.

 

Collaboration and knowledge sharing

Recognizing the shared responsibility in combating social engineering threats, healthcare organizations should actively engage in cross-industry collaboration and knowledge sharing. By using threat intelligence, best practices, and lessons learned, the sector can collectively strengthen its defenses and stay ahead of changing cybercriminal tactics.

 

Looking deeper into the threat

In 2023, Avertium released a Threat Intelligence Report detailing Scattered Spider's unique social engineering methods. The group has many targets, including government agencies, tech companies, defense, and healthcare.

Scattered Spider is known for infiltrating widely used environments across different industries, such as Windows, Linux, Google Workspace, AzureAD, M365, and AWS. They extract intelligence from platforms like SharePoint and OneDrive, looking for sensitive information including VPN and MFA details, as well as help desk procedures.

Public reports indicate that Scattered Spider threat actors have employed various methods to gain access, such as:

  • Impersonating company IT or helpdesk staff via phone calls or SMS messages to trick employees into revealing their credentials and thereby accessing the network.
  • Directing employees to use commercial remote access tools by posing as IT staff to establish initial access.
  • Convincing employees to share one-time passwords (OTPs) used for MFA by pretending to be IT personnel.
  • Sending repeated MFA notification prompts, causes employees to repeatedly press the "Accept" button, a technique known as MFA fatigue.
  • Persuading cellular carriers to transfer control of a targeted user's phone number to a SIM card controlled by the attackers, allowing them to intercept MFA prompts and access the phone.
  • Exploiting their network access for various malicious purposes, including ransomware extortion and data theft.

 

How can Paubox help?

Paubox's suite of inbound security solutions is designed to combat social engineering attacks and protect sensitive information through advanced email security features. Some components include ExecProtect, which prevents display name spoofing by isolating fraudulent emails before they can deceive recipients. Combined with malware, virus, and ransomware protection, Paubox’s security suite effectively shields organizations from social engineering tactics and maintains the integrity of their email communications.

See also: HIPAA Compliant Email: The Definitive Guide  

 

In the news

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) issued a significant advisory on April 5, discussing the persistent threat posed by ransomware to the healthcare sector. Over the past six months, HC3 has documented more than 530 cyber attacks targeting U.S. health care, with nearly half attributed to ransomware. In response to escalating risks, HC3 also released recommendations directed at fortifying defenses against sophisticated social engineering tactics specifically targeting IT help desks within healthcare settings. 

 

FAQs

What is social engineering and how does it relate to healthcare security?

Social engineering is a tactic used by cybercriminals to manipulate individuals into divulging confidential information or performing actions that compromise security. In healthcare, social engineering exploits trust and human psychology to gain unauthorized access to patient data, medical systems, or financial information.

 

Why is social engineering a significant threat to healthcare organizations?

Social engineering is a big threat because it targets the human element, which is often the weakest link in cybersecurity defenses. By exploiting trust, deception, or fear, attackers can trick healthcare employees into disclosing sensitive information, clicking on malicious links, or transferring funds, leading to breaches of patient confidentiality, financial losses, and disruptions in healthcare services.

 

What measures can healthcare facilities take to prevent social engineering attacks?

Healthcare facilities can prevent social engineering attacks by implementing cybersecurity training for staff at all levels, raising awareness about common social engineering tactics such as phishing, pretexting, and baiting, encouraging skepticism and verification of requests for sensitive information or transactions, and establishing strict protocols for handling confidential data and financial transactions.

 

How does social engineering impact HIPAA compliance?

Social engineering impacts HIPAA compliance by increasing the risk of unauthorized access to protected health information (PHI). If attackers successfully manipulate staff through social engineering tactics, they can gain access to PHI, leading to potential data breaches and violations of HIPAA’s security and privacy rules.