Cyberattacks on health care industry growing

©arrow-stock.adobe.com

If it seems like you’re seeing more suspicious emails lately, there’s a good chance you’re correct.

The health care industry has seen a 167% increase in advanced email attacks in 2023, according to a report from Abnormal Security, a cybersecurity company.

These attacks include business email compromise, such as an email that appears to come from a vendor or some other source that works regularly with the organization, or a company CEO asking for help with an urgent need.

Advanced email attacks can also include phishing schemes designed to prod victims into sharing personal information, such as an email from a seemingly legitimate company with a link to update their information.

Mike Britton, chief information security officer of Abnormal Security, says attackers know how to engage with victims and gain their trust.

“When you dig into the aspects of why these attacks are so successful, they all kind of go back to social engineering,” Britton told Chief Health care Executive®, a sister publication to Medical Economics. “And the best ingredient for social engineering, if I'm an attacker, is fear, uncertainty and doubt. And in the health care space, there seems to be a lot of fear, uncertainty and doubt.”

Britton says health care organizations deal with a wide variety of groups, including vendors, suppliers and patients, giving attackers many potential figures to impersonate. If the attacker is impersonating a familiar name, victims tend to be trusting or at least give the benefit of the doubt.

“Because I can take advantage of that implicit trust for the social engineering aspect, I'm able to get a lot farther. I'm able to get people to reply, I'm able to kind of move down towards some sort of payday,” Britton says.

More hospitals have suffered ransomware attacks in 2023. Through late June, more than 220 cyberattacks have targeted hospitals and health systems, according to the American Hospital Association.

In the first six months of 2023, 40 million Americans were affected by health data breaches, according to a report by Critical Insight, a cybersecurity firm. By comparison, a record 58 million people were impacted by breaches in all of 2021.

Cybersecurity analysts say hospitals and health systems are starting to make some progress in improving the security of their systems, while adding that some systems have more robust defenses than others.

Some attackers have changed tactics as more organizations have employed better defenses, according to Britton. “This has been a shift over time,” he says. “Attackers have figured out if I'm sending a mass campaign that looks the same, it's easy to stop. If I'm sending a campaign that has malware in it, it's easy to stop. If I send a campaign with malicious URLs, it's easy to stop. So really, at the end of the day, I want engagement.”

“And that's where social engineering comes in,” he adds. “I don't want you to necessarily click, and I get paid. I want you to respond back, I want to start reeling you in, I want to hook you, make you think that I am who you think I am. And from there, build that trust, build that rapport, to the point where I can get you to do things that you wouldn't normally do.”

Health care leaders and boards need to place a high priority on cybersecurity to protect their patients and their organizations, experts say. Hospitals should also share information with each other more often, Britton suggests.

“I may work for a competing hospital from you, but at the end of the day, we're all trying to stop the same attackers," Britton says. "And it's no benefit to me as an organization if they attack you, because they're going to attack me as well. So we should share intelligence, we should share what's working, what's not working, and really leverage the security community in a broader sense.”