- Politics
- Diversity, equity and inclusion
- Financial Decision Making
- Telehealth
- Patient Experience
- Leadership
- Point of Care Tools
- Product Solutions
- Management
- Technology
- Healthcare Transformation
- Data + Technology
- Safer Hospitals
- Business
- Providers in Practice
- Mergers and Acquisitions
- AI & Data Analytics
- Cybersecurity
- Interoperability & EHRs
- Medical Devices
- Pop Health Tech
- Precision Medicine
- Virtual Care
- Health equity
Health systems see spike in advanced email cyberattacks
The attacks involve business email compromise and phishing attempts. A cybersecurity expert says attackers will slowly engage victims and build trust.
If it seems like you’re seeing more suspicious emails, there’s a good chance you’re correct.
The healthcare industry has seen a 167% increase in advanced email attacks in 2023, according to a report from Abnormal Security, a cybersecurity company.
These attacks include business email compromise, such as an email that appears to come from a vendor or some other source that works regularly with the organization, or a company CEO asking for help with an urgent need.
Advanced email attacks can also include phishing schemes designed to prod victims into sharing personal information, such as an email from a seemingly legitimate company with a link to update their information.
Mike Britton, chief information security officer of Abnormal Security, says attackers know how to engage with victims and gain their trust.
“When you dig into the aspects of why these attacks are so successful, they all kind of go back to social engineering,” Britton tells Chief Healthcare Executive®. “And the best ingredient for social engineering, if I'm an attacker, is fear, uncertainty and doubt. And in the healthcare space, there seems to be a lot of fear, uncertainty and doubt.”
Britton says healthcare organizations deal with a wide variety of groups, including vendors, suppliers and patients, giving attackers a number of potential figures to impersonate. If the attacker is impersonating a familiar name, victims tend to be trusting or at least give the benefit of the doubt.
“Because I can take advantage of that implicit trust for the social engineering aspect, I'm able to get a lot farther. I'm able to get people to reply, I'm able to kind of move down towards some sort of payday,” Britton says.
More hospitals have suffered ransomware attacks in 2023. Through late June, more than 220 cyberattacks have targeted hospitals and health systems, according to the American Hospital Association.
In the first six months of 2023, 40 million Americans were affected by health data breaches, according to a report by Critical Insight, a cybersecurity firm. By comparison, a record 58 million people were impacted by breaches in all of 2021.
Cybersecurity analysts say hospitals and health systems are starting to make some progress in improving the security of their systems, although they add that some systems have more robust defenses than others.
Some attackers have shifted tactics as more organizations have employed better defenses, Britton says.
“This has been a shift over time,” Britton says. “Attackers have figured out if I'm sending a mass campaign that looks the same, it's easy to stop. If I'm sending a campaign that has malware in it, it's easy to stop. If I send a campaign with malicious URLs, it's easy to stop. So really, at the end of the day, I want engagement.”
“And that's where social engineering comes in,” he adds. “So I don't want you to necessarily click, and I get paid. I want you to respond back, I want to start reeling you in, I want to hook you, make you think that I am who you think I am. And from there, build that trust, build that rapport, to the point where I can get you to do things that you wouldn't normally do.”
Healthcare leaders and boards need to place a high priority on cybersecurity to protect their patients and their organizations, experts say.
Hospitals should also share information with each other more often, Britton suggests.
As Britton says, “I may work for a competing hospital from you. But at the end of the day, we're all trying to stop the same attackers. And it's no benefit to me as an organization if they attack you, because they're going to attack me as well. So we should share intelligence, we should share what's working, what's not working, and really leverage the security community in a broader sense.”
Read more from Chief Healthcare Executive®
Paying the ransom: Hospitals face hard choices in cyberattacks
Protecting patients in a cyberattack: Guidance from the Joint Commission
