Solutions

Solutions powered by
Learn More.
Frame 586 (1)

Quality Manager formerly known as abaqis®

Mitigate risk and elevate your quality of care. Improving both clinical and business outcomes starts with a smarter, more integrated approach to regulatory training, continuing education and quality management.

Learn More

NEW TO THE STORE

hStream Content Marketplace

Connecting you to the Best Content. Access to 75 Partners and 35,000+ Courses in our Industry-Leading Marketplace. Streamline content purchasing, updates, hosting, and connectivity for your organizational needs

NurseGrid Learn

Online store for Clinical Learners. Individual CE Credit and industry products for Clinical Learners are now available through NurseGrid Learn (Beta). Explore our robust collection of courses that provides an unparalleled level of flexibility and choice.

Practitioner Courses

Meet the DEA's new requirement under the Medication Access and Training Expansion (MATE) Act in an online, high-quality and self-paced 8-hour DEA MATE Act course specifically designed for practitioners, including Physicians, PAs, NPs, Pharmacists, Dentists and others.

LATEST & POPULAR

REPORT

2024 Annual Report on Medical Staff Credentialing
On-Demand Webinar

State of the Industry: What’s Next for Healthcare Quality & Safety in 2024?
BLOG

Summer 2024's Top Choice in Healthcare Credentialing: CredentialStream
BLOG

HealthStream Executive Briefing: CMS Minimum Staffing Standards: What You Need to Know
BLOG

The Impact of Human Connection: The LGBTQ+ Healthcare Community
Webinar

Clinical Placement for the Future of Healthcare: myClinicalExchange Discussion with CommonSpirit Mt Region and UW Health

< HealthStream Resources

blog

24-WD-Q&C-530-Cybersecurity Blog-Blog Image-FINAL (1)

Defending Against Phishing: Strengthening Cybersecurity in Healthcare

July 29, 2024
July 29, 2024

The Rising Threat of Phishing in Healthcare

Phishing, sometimes known as spear phishing, is a scheme in which someone impersonates a person or business (i.e., a known or trusted contact) to deceive a target into revealing sensitive information or providing insider access. It is not new but has quickly become a tool of choice for scammers and cybercriminals. The statistics are alarming: In 2023, the Federal Bureau of Investigation’s (FBI’s) Internet Crime Complaint Center noted that there were 298,878 complaints of phishing, a significant increase from the 114,702 cases reported in 2019. This surge underscores the growing sophistication and frequency of phishing attacks.

The Impact on Healthcare

The healthcare industry, in particular, is a prime target for these attacks. The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has not ignored these evolving threats. As recently as December 2023, the OCR sent a clear message to healthcare providers by settling its first phishing cyberattack case under HIPAA. In this case, a hacker had gained access to an email account via phishing and was then able to access ePHI for almost 35,000 individuals. It was notable that the investigation revealed the facility had not performed a risk assessment and did not have policies in place to address cyber threats such as phishing. This settlement emphasizes the necessity for regular risk assessments and adherence to best practices in safeguarding sensitive data.

Research from The Anti-Phishing Working Group (APWG) estimates that four out of ten healthcare data breaches begin with phishing attempts. Moreover, reported phishing attacks have doubled since 2020. The financial repercussions are staggering, with medical facilities facing an average cost of $10 million per breach. These attacks can lead to identity theft, data breaches, and financial fraud, placing healthcare organizations in precarious financial and reputational positions.

A successful phishing attack can impede a healthcare system and cause significant disruption to key services. Healthcare providers can be locked out of systems essential to operations, forcing staff to revert to manual record-keeping. Treatment plans can be compromised, and emergency services may need to be rerouted.

The Role of Generative AI

Phishing attacks are becoming increasingly harder to detect and more damaging, partly due to advancements in generative artificial intelligence (AI). In October 2023, the Office of Information Security released a white paper noting that AI, including tools like "FraudGPT," enables cybercriminals to craft more convincing phishing messages. This technological leap demands a more robust and proactive approach to cybersecurity.

Common Phishing Tactics

Cybercriminals employ various phishing tactics to lure victims into:

  • Installing malware
  • Disclosing usernames and passwords
  • Voluntarily giving up protected health information (PHI)
  • Paying a ransom for stolen data
  • Granting direct access to secure networks

Tactics can change over time and often occur in waves, depending upon the success of attacks. As an example, the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS) have recently released a joint Cybersecurity Advisory (CSA) to inform healthcare organizations about a new social engineering campaign in which cyber criminals use phishing schemes to steal login credentials and divert automated clearinghouse (ACH) payments to bank accounts controlled by the criminals.

Understanding common phishing tactics can help healthcare organizations implement effective defenses. Tactics include:

  • Email phishing: Sends an email that requests personal information like account numbers, credit card numbers, or login credentials.
  • Spear phishing: A targeted form of phishing that uses social engineering to make emails appear legitimate
  • Vishing: Uses phone calls to impersonate a trusted brand and create a sense of urgency to trick people into taking compromising actions. Vishing increased more than twelvefold after the launch of ChatGPT.
  • Smishing: Uses text messages (SMS) to send malicious links or trick people into giving sensitive information
  • Whaling: Targets senior executives with emails to trick people into taking secondary actions like wire transfers
  • Angler phishing: Targets social media users by impersonating a customer service agent to obtain personal information or account credentials

Training: The First Line of Defense

The most effective way to protect against phishing scams is by educating employees about the importance of security policies and procedures. Statistics reveal that 88% of healthcare workers open phishing emails at some point in their employment, highlighting the urgent need for comprehensive training programs. Employees who receive training on recognizing phishing scams are significantly less likely to fall victim to such attacks.

HealthStream’s Security Awareness education focuses on best practice tools for employees so they will be equipped to protect sensitive PII and PHI from attack. A good training program should be:

  • Ongoing: Regular reminders about phishing and other cyber threats are crucial to maintaining vigilance.
  • Realistic and Practical: Training should include real examples of phishing emails and scams to help staff understand how these attacks work in real life.
  • Interactive: Active participation in training sessions helps employees retain information more effectively than passive listening.

Phishing Statistics Every Healthcare Organization Should Know

  • 68 million phishing emails spoofed Microsoft in 2023
  • 1 in 10 employees flunk simulated phishing tests
  • Phishing breaches take an average of 295 days to detect and contain
  • 1 in 3 companies admitted to cyber unpreparedness in 2022
  • Reports of phishing to the FBI up 12x since 2018

These statistics, sourced from Proofpoint, FBI Internet Crime Center, Barracuda Networks, and IBM, underscore the critical need for improved cybersecurity measures in healthcare.

Regulatory and Organizational Responses

Earlier this year, HHS released a set of cybersecurity performance goals encouraging healthcare entities to implement basic cybersecurity training, bolster email security, and revoke credentials when employees leave. Although voluntary, HHS has called on congress to enact fines for hospitals that do not meet these measures.

Mitigation Strategies

To reduce the likelihood and impact of phishing and other social engineering incidents, healthcare organizations should:

  • Implement multi-factor authentication (MFA) for every account
  • Enhance email security
  • Train employees on recognizing vulnerabilities
  • Audit remote access tools and review logs for remote access software execution
  • Use robust security software
  • Require authorized remote access solutions within the network or via approved solutions such as VPN
  • Block inbound and outbound connections on common remote access software ports and protocols at the network perimeter
  • Implement centralized log collection

Phishing remains a formidable threat to the healthcare industry, but with vigilant training, robust security measures, and ongoing awareness, organizations can significantly mitigate the risks. It is imperative that healthcare providers prioritize cybersecurity to protect sensitive patient data and ensure the smooth operation of essential services.

Learn about how HealthStream’s Security Awareness education can help protect your organization from security threats.

Request Demo