Commentary: There is no denying that the United States needs a strong and secure health care sector. The healthcare industry saves countless lives, creates millions of jobs, and contributes significantly to economic growth. For this reason, it is also one of the most popular targets for advanced social engineering email attacks.
Although security leaders have made significant efforts to strengthen defenses and educate employees on best practices, email attacks against healthcare organizations continue to increase. With the new prevalence of targeted and hard-to-detect email attacks, traditional solutions and employee awareness will no longer be enough to protect healthcare systems.
Why attackers target healthcare
Interfering with essential healthcare services can have dire consequences, and cybercriminals know that desperate organizations will pay hefty ransoms to stop an active attack. But that's not the only reason hackers are focusing on healthcare.
(SC Media Perspectives columns are written by SC Media's trusted community of cybersecurity subject matter experts. Learn more about Perspectives.)
Another major factor is the vast amount of sensitive information held in healthcare institutions. These vast collections of patient data, financial details, and medical records are a veritable gold mine for cybercriminals. According to one cybersecurity researcher, medical data can be sold on the dark web for up to 20 times the price of a credit card number, making it an extremely lucrative stolen commodity.
Second, while healthcare organizations are highly regulated, those regulations do not always lead to increased security. In fact, compliance requirements can leave healthcare organizations continuing to use outdated security systems and procedures, inadvertently making them vulnerable to advanced attacks.
And this doesn't account for the fact that the healthcare industry's relatively high turnover rates and complex supply chains also work in favor of cybercriminals. Because new employees may not know their service providers or co-workers well, it is easy to imitate these contacts through social engineering schemes. On the other hand, threat actors may find that long-term employees feel overly comfortable with their relationships with vendors and co-workers, and are willing to do things they would normally avoid, such as sharing sensitive data via email. I rely on it.
Major threats facing healthcare today
As in most industries, security leaders in the healthcare industry have increasingly invested in employee security awareness and education over the past few years, strengthening their staff's ability to spot and report potential threats. Masu. Unfortunately, cybercriminals are one step ahead. Users should always be on guard against misspellings, poor grammar, and offers that sound too good to be true from senders, but new sophisticated email attacks are much harder to spot.
Thanks to the proliferation of generative AI tools like ChatGPT, threat actors can quickly generate polished, professional-looking emails that effectively mimic a target's trusted contacts (peers, managers, vendors, etc.). Masu. It's no surprise, then, that healthcare vendor email compromise (VEC) and business email compromise (BEC) attacks have increased over the past year, with VEC attacks increasing by 60% since August 2023.
Like all social engineering attacks, both BEC and VEC involve impersonating a trusted party. In a BEC attack, the cybercriminal impersonates a colleague, boss, or senior executive, while in a VEC attack, the cybercriminal typically impersonates a supplier, distributor, or service provider. Armed with thorough research about the targeted and impersonated individuals, attackers can exploit these relationships to trick well-meaning employees into processing fraudulent invoices, sharing sensitive information, or access credentials. may be provided incorrectly.
Additionally, attackers are increasingly accessing vendor email accounts and hijacking existing threads, so their targets have no reason to suspect malicious intent. This method also allows you to easily bypass traditional email security tools that rely on common signals such as spoofed domains or suspicious attachments to block threats. These seemingly innocuous, text-only emails often slip through the cracks because traditional tools can't detect attacks sent from compromised accounts.
How healthcare organizations can mitigate email attacks
Cybercriminals know that healthcare organizations rely on email to facilitate communication between healthcare teams, with vendors, and between patients and providers. With the help of generative AI, they exploit healthcare workers' reliance on this channel, launching hundreds of highly strategic social engineering attacks against organizations every month.
Traditional defense methods are no longer sufficient to protect the healthcare industry from sophisticated email attacks, as there is no malicious content to trigger traditional security tools and no signs of arousing employee suspicion. Fortunately, security leaders can stay informed about new tactics and layer in more advanced AI-powered threat detection to neutralize threats before they reach users' inboxes.
With 2025 just around the corner, BEC and VEC attacks are guaranteed to continue and may become even more difficult to identify in the new year as threat actors refine their approaches. By taking the necessary preparatory steps, healthcare organizations can reduce the risk of falling into next year's statistics.
Mike Britton, Chief Information Security Officer, Abnormal Security
SC Media Perspectives columns are written by SC Media's trusted community of cybersecurity subject matter experts. Each contribution has the goal of bringing a unique voice to important cybersecurity topics. We strive to ensure that our content is of the highest quality, objective, and non-commercial.
