Phishing scams in the healthcare sector...
Phishing and Business Email Compromise (BEC) scams are becoming increasingly prevalent in the healthcare industry.
These scams involve cyber criminals using deception and manipulation to gain access to sensitive information via social engineering. In the healthcare industry, this can have serious consequences for both patients and healthcare organisations.
The healthcare sector reported the highest number of cyber security incidents of any other sector in recent years. Due to the critical nature of services provided and value of the personal information they hold, the healthcare sector is seen as a highly lucrative target for cyber criminals.
One of the most common types of phishing scams in healthcare is the use of fake emails that appear to be from legitimate sources, such as insurance companies, government agencies and even your direct manager or CEO – this type of scam is an impersonation fraud, but it could also be an account takeover if it legitimately looks like it’s an internal email or from a familiar source.
Account takeover is incredibly hard to detect as these types of BEC attacks bypass legacy email solutions. As the email account is compromised and actually coming from a legitimate and trusted source, it is able to pass email rule-based security controls without detection.
These emails are often high urgency, and contain links or attachments that, when clicked, download malware onto the recipient's computer or steal personal information. Additionally, BEC scams can involve cyber criminals requesting fast purchases, sensitive information or change of bank details, fooling the victim into paying an invoice into the scammer’s account.
Healthcare data is worth more than a credit card number.
It's important for healthcare organisations to take steps to protect themselves and their patients from these types of scams. This includes educating employees on how to recognise and avoid phishing attempts, implementing robust security systems, and creating a plan for responding to a security breach.
Healthcare records are in high demand because they are worth a lot more to a cyber criminal than a simple credit card number. The highly sensitive information can be a complete package for the cyber criminal to not only steal the identity of the victim but commit insurance or bank and superannuation fraud in their name. For healthcare, this could result in a disruption of services to patients whose records are held hostage and can not only delay treatments, but also erode public trust in the organisation and delay business continuity.
What can you do?
Healthcare sector employees can implement simple habits like:
- analysing the sender and the content when checking emails.
- being wary of click-bait tactics such as a sense of urgency, curiosity and/or authority.
- avoiding clicking on links or attachments.
- delaying a response to requests involving sharing data, making a purchase, or paying an invoice until the origin of the email is verified beyond doubt.
- verify any changes in vendor payment processing by using a secondary sign-off by company personnel.
- confirm all requests to change payment details by using phone verification as part of the authentication process. Only use known numbers, not details provided in email requests.
Leadership teams should ensure:
- devices are up to date.
- multi-factor authentication (MFA) is enabled for access to emails and the network which makes remote access more difficult for the scammer.
Patients should also take steps to protect themselves from phishing and BEC scams, such as:
- be cautious when supplying personal information, especially over the phone or email.
- be wary of unexpected requests for payment or personal information.
- be aware of click-bait tactics such as a sense of urgency, curiosity and/or authority.
- be mindful of who is sending the email - don’t click on links or download attachments from unknown sources.
Overall, BEC scams are a growing threat in the healthcare industry. Healthcare organisations and patients need to be aware of these risks and take steps to protect themselves. By staying vigilant, double- checking the origins of any unsolicited emails, and avoiding clicking on links, or buying or paying for anything until the source is verified, we can help prevent these types of scams from causing harm to patients and healthcare organisations.
We understand that the healthcare sector has a unique set of challenges with cyber security based on the criticality of the work, and the potential threat to services and patients.