Social engineering is a major threat to healthcare, exploiting human vulnerabilities to gain unauthorized access to sensitive information. According to the Carahsoft 2021 HIMSS Healthcare Cybersecurity Survey, socially engineered phishing attacks accounted for a staggering 45% of security incidents in healthcare systems.
In 2023, healthcare organizations encountered a 279% increase in business email compromise (BEC) incidents. Socially engineered email attacks, including BEC, surged against the healthcare sector during this period. These statistics highlight the frequency and impact of social engineering tactics in the industry.
Additionally, the FBI's 2022 report highlights a concerning trend of cybercriminals targeting healthcare payment processors via social engineering attempts, with incidents resulting in the redirection of funds. These kinds of attacks mean that there is an urgent need to understand and combat social engineering threats in healthcare. Let’s look at social engineering threats in the healthcare space and what organizations can do to remain safe.
In February 2023, Highmark Health, the second largest integrated delivery and financing system in the U.S., was hit by a socially engineered phishing attack affecting around 300,000 individuals. The breach took place on December 15, 2022, when a Highmark employee clicked on a malicious link that granted unauthorized access to their email account for a span of two days.
As a result, the threat actor potentially obtained access to emails containing protected health information (PHI). Within the compromised email account were various forms of sensitive data, including names, enrollment information, prescription and treatment records, financial information, addresses, and contact numbers. This incident illustrates how an employee, lacking adequate awareness or training, inadvertently interacted with a malicious link, thus giving a threat actor unrestricted access.
It's important to remember that social engineering relies on manipulating individuals into divulging sensitive information or taking actions that compromise security. In this case, the phishing attack exploited the human factor, leveraging the employee's lack of awareness to breach the organization's defenses.
In phishing attacks, like the one mentioned above, social engineering tactics are used to take advantage of how people naturally behave. They use things like trust, curiosity, and the willingness to assist others to trick people into doing things that could compromise security. In places like healthcare facilities, where staff are usually busy taking care of patients and handling paperwork, they might be more likely to fall for these tricks. Also, with more ways to communicate online and with threat actors getting smarter, these types of attacks keep changing and are becoming more advanced in healthcare.
You might be curious about other ways threat actors manage to infiltrate healthcare organizations. Well one of those ways is by targeting IT help desks. In January 2024, the American Hospital Association (AHA) became aware of a social engineering scam targeting IT help desks. This scheme involves using the stolen identity of employees in critical financial positions, like those handling revenue cycles.
The attackers, believed to be based abroad, call IT help desks and exploit stolen personal information to answer security questions. They then request a password reset and the addition of a new device, often with a local area code, to receive multi-factor authentication (MFA) codes. This successfully bypasses multi-factor authentication measures, granting full access to the compromised employee's email and other systems. The threat actors use compromised email accounts to alter payment instructions with payment processors, redirecting legitimate payments to fraudulent U.S. bank accounts. It's suspected that these funds are eventually transferred overseas.
The sophistication of these social engineering campaigns is evident in the threat actors' ability to bypass MFA mechanisms, posing significant challenges to healthcare organizations. By enrolling new devices with local area codes, threat actors exploit vulnerabilities in authentication processes, granting them unrestricted access to email accounts and critical applications.
In 2023, Avertium released a Threat Intelligence Report detailing Scattered Spider's unique social engineering methods. The group has a wide range of targets, which include government agencies, tech companies, defense, and healthcare.
Scattered Spider focuses on infiltrating commonly used environments across various industries, including Windows, Linux, Google Workspace, AzureAD, M365, and AWS. They gather intelligence from platforms like SharePoint and OneDrive, seeking information such as VPN and MFA details, as well as help desk procedures.
In one instance, they gained access to Azure Active Directory and acquired user data, including privileged users. According to publicly available reports, Scattered Spider threat actors have:
Healthcare institutions store a wealth of data that, if stolen, creates challenges for victims and may go unnoticed for extended periods. Unfortunately, cybercriminals view this sector as a highly profitable source of personally identifiable information (PII) and associated financial records - easily sold in underground marketplaces.
Both individual cybercriminals and organized crime groups capitalize on these stolen datasets to commit fraud, theft of identity and intellectual property, espionage, blackmail, and extortion. Also, these details can be exploited to distribute malware via spam and phishing to unsuspecting victims.
Identity theft, particularly rampant in healthcare since 2015, involves using stolen PII to access services or resources, apply for credit or loans, open bank accounts, conduct online transactions, file tax returns for refunds, and engage in other illegal activities without the victim's awareness or consent. This means that cybercriminals can use the stolen PII to answer security questions or bypass authentication measures to gain access to sensitive information.
The financial value of stolen data drives these cybercriminal activities. For example, health information and medical records are valued at approximately $82.90 per record for U.S. consumers, while a Social Security number is worth around $55.70. Payment details, physical addresses, marital status, and gender information hold values of $45.10, $38.40, $17.90, and $2.90, respectively.
Threat actors know that if they can leverage readily available personal information, they can also manipulate IT help desk procedures to facilitate unauthorized access to sensitive data. Incidents reported by the AHA highlight the impact of these attacks.
In February 2024, nearly half of France’s population became affected by a massive data breach involving two third-party healthcare payment service providers, Viamedis and Almerys. The breach, disclosed by the French data privacy watchdog, CNIL, compromised data belonging to over 33 million customers.
The stolen information includes dates of birth, marital status, social security numbers, and insurance details. While no banking info, medical records, or contact information were compromised, the breach is deemed the largest in France’s history. Viamedis fell victim to a phishing attack targeting healthcare professionals, while Almerys’ breach remains undisclosed. French officials warn of potential phishing and social engineering attacks using the stolen data.
In October 2022, the Zeon group, masquerading as software providers, targeted the healthcare sector, exploiting trust and security gaps. They used tactics like "BazarCall spear-phishing" and "spear-phishing," tricking users into installing malware and divulging sensitive information. Zeon demonstrates creativity in evading detection by incorporating diverse keywords and specifically honing in on the healthcare sector, using the names of reputable healthcare and insurance companies.
The threat actors also made use of legitimate remote access tools and exploited vulnerabilities in Microsoft Exchange to gain unauthorized access. In September 2022, an alert was issued regarding the Zeon group impersonating a Health-ISAC member. They used counterfeit invoices to redirect unsuspecting users to a fake call center under their control. Upon infiltrating the healthcare network, they stole patient data and potentially deployed ransomware to demand payment for system restoration.
The AHA puts emphasis on the importance of strict security protocols for IT help desks. He suggests measures such as verifying requests with a callback to the employee's registered number and contacting their supervisor. In response to falling victim to the IT help desk scam, one major health system now mandates that employees appear in person at the IT help desk for such requests.
In response to these escalating threats, healthcare organizations must adopt proactive measures to enhance cybersecurity resilience:
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe from Social Engineering attacks:
Scattered Spider Cyber Threat Actor: Decoding Intricacies (safeaeon.com)
33m French citizens data stolen in healthcare billing breach • The Register
New Social Engineering Attack Simulates Healthcare Software (ispartnersllc.com)
Ransomware disrupts hospitality, healthcare in September | TechTarget
Rising AI Driven Cyber Attacks Debilitating Hospitals and ERs (centretechnologies.com)
Hospital IT help desks targeted by sophisticated social engineering schemes | AHA News
Insider Threats in Healthcare (avertium.com)
202208181300_The Impact of Social Engineering On Healthcare_TLPWHITE (hhs.gov)
HC3 Warns of Increase in Vishing Attacks and the Dangers of Social Engineering (hipaajournal.com)
Healthcare Organizations Experience 279% Increase in… | Abnormal (abnormalsecurity.com)
Social Engineering and Healthcare - Security Through Education (social-engineer.org)
5 Threat Series - Email Phishing Attacks Presentation (hhs.gov)
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients | AHA
Phishing Attacks Targeting the Healthcare Sector (social-engineer.com)
Social Engineering Examples in Healthcare | ChartRequest
AHA Warns Hospitals of IT Help Desk Social Engineering Scheme (healthitsecurity.com)
Social Engineering in Healthcare: Recognizing and Mitigating the Human Factor - HIPAA Secure Now!
9 Ways to Social Engineer a Hospital (securitymetrics.com)
How Social Engineering Attacks Present Unique Risks for Health Care (risk-strategies.com)
The Rising Threat of Social Engineering Attacks in Healthcare - HIPAA Secure Now!
202208181300_The Impact of Social Engineering On Healthcare_TLPWHITE (hhs.gov)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.