Healthcare News & Insights

Phishing in the healthcare industry: What you need to know

Phishing is the No. 1 cyber threat faced by the healthcare industry, and it’s not going away any time soon. In fact, it’s only going to get worse. In this guest post, Lindsey Havens, director of marketing at an organization that protects businesses against cyberattacks, offers what you can do about it.


Over the past few years, we’ve seen a huge rise in the volume of cyber attacks targeting healthcare organizations.

And that’s not surprising. For starters, healthcare organizations are renowned for having low-security budgets, making them an easy target for cyber criminals. Add that to the fact healthcare records are more valuable on the black market than credit card details, and you have a recipe for trouble.

Knowing this is step one.

Step two is understanding how cyber criminals are targeting healthcare organizations. Thankfully, answering this is surprisingly easy: They use phishing and other social engineering tactics to steal user credentials, deliver ransomware and other malware variants, and even trick payment staff into wiring large sums of money directly to a criminal’s bank account.

Quite simply, phishing is the No. 1 cyber threat faced by the healthcare industry … and here’s what you can do about it.

Technology has its limitations

If you want to tackle the threat posed by phishing, here’s the first thing you must understand: Technical security controls are great, but they aren’t perfect.

Let’s be clear, spam filters are essential in the modern world. Without them, we’d all be drowning in emails flogging everything from Viagra to unlicensed financial advice.

But no matter what security vendors might claim, no spam filter can ever catch 100% of incoming spam emails, and that goes double for incoming malicious emails. Cyber criminals expend a great deal of time and energy coming up with new ways to circumvent common security technologies, and they’ve become at least reasonably proficient at it. That means no matter what you do, at least some phishing emails will make it into user inboxes.

So, are your users ready to deal with that? Do you think they’d do a good job of distinguishing between legitimate emails and targeted phishing attacks?

If you haven’t spent any time preparing your users to handle this eventuality, the answer is probably no.

So this is step one of fighting back against phishing in the healthcare industry: Understand that technology can only do so much, and you must commit to providing your users with the training and guidance they need to reliably distinguish between legitimate and malicious emails.

Why your SAT program probably isn’t going to cut it

Be honest, your current security awareness program isn’t great, is it? Don’t worry, you aren’t alone.

Most healthcare organizations only bother with security training because it’s a requirement for HIPAA compliance. As a result, they usually take the standard “sitting in a stuffy room for an hour once per year while a bored intern talks about good and bad passwords” approach to security awareness training.

But here’s the thing. Now that you know what a serious threat phishing is, does this strike you as a sensible approach? In fact, doesn’t this approach seem crazy?

To be clear, if you’re serious about reducing cyber risk, you’re going to need to take a very different approach to end-user security training.

Here’s the first thing you should do: Delete the word “awareness” from your vocabulary. Why? Because simply giving people more information doesn’t cause them to change their behaviors. If it did, don’t you think everybody would have stopped smoking and eating too much fast food by now?

If you want to make serious changes to the way your employees behave, you’ll need to go way beyond improving their security awareness.

How to fight phishing

So if awareness won’t cut it, how can you train your users to spot phishing emails? Simple: By creating your own simulated phishing emails and sending them to your users.

Yup, it’s as simple as giving your users an opportunity to practice distinguishing between legitimate and malicious emails.

Quite simply, your users are never going to improve their ability to spot phishing emails unless they’re given an opportunity to practice when they aren’t in a formal training session. And the best way to give them that opportunity is to construct realistic phishing simulations, send them to your users, and track their responses over time.

Now, clearly, there must still be a training component to your program. At a minimum, you’ll need to explain to them how the program will work, what the purpose is and what you expect from them. Even more importantly, you’ll need to arm them with a basic understanding of what phishing is, and what typical phishing lures might look like.

But don’t overload your users with information right up front. Give them the basics, and reserve more detailed training for further down the road.

Because right now, it’s time to go phishing.

You didn’t think we were done, did you? Clearly, while the principle is very simple, there are some things to keep in mind.

Here are four steps you should take to maximize the potency of your anti-phishing program:

1) Realism is everything

There’s no point in producing phishing simulations unless they closely resemble what your users will encounter in the real world. To produce realistic simulations, you’ll need:

  • A source of phishing intelligence, including healthcare-specific samples
  • An experienced phishing expert to own the program and produce your phishing simulations, and
  • The willingness to gradually increase complexity over time, and stay loyal to the program.

2) Define success

First off, it’s not enough for users to simply delete phishing emails when they identify them. To really fight back against phishing, you’ll need your users to report identified phishing emails. This is for three primary reasons:

  • Reported phish can help you enhance technical controls and quarantine similar email
  • You can use real reported phishing emails to inform future simulations, and
  • It’s much easier to track progress if you have something to track.

3) Point-of-failure training

Since the program I’ve described here includes only minimal up-front training, you’ll need to identify a good time to provide additional training sessions along the way. A good rule of thumb is to only train users when they need to be trained.

How do you do that?

By providing on-the-spot digital training the moment a user “fails” one of your simulations. This “point-of-failure” training should focus on the specific type of phishing email the user has just received (and failed to identify) as this will maximize their learning.

4) Provide additional support where necessary

Here’s the thing about cybersecurity: A small number of under-performing users can undo all the hard work done by everybody else.

Any time you find yourself with a user who repeatedly fails your simulations, it’s a good idea to intervene and provide one-to-one support. Typically, with greater support, these individuals can make dramatic improvements, so don’t assume they’re a lost cause.

Consistency is king

Let’s be honest, things aren’t about to get easier for the healthcare industry. In fact, in the coming years, you can expect to be on the receiving end of an increasingly massive volume of cyber threats.

The anti-phishing program I’ve described here isn’t a one-shot solution to this problem. Quite the opposite, in fact. It’s intended to be run consistently over a period of years, cultivating and maintaining in your users the skills necessary to identify increasingly sophisticated phishing attacks.

If you’re willing to trust in the process and keep at it, this system will enable you to drastically reduce your level of cyber risk over a relatively short time period.

Lindsey Havens is the director of marketing at PhishLabs, an organization that protects businesses against cyberattacks, where she focuses on inbound marketing and nurturing client relationships.


Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind