Social Engineering Threats in Healthcare

executive summary

Social engineering is a major threat to healthcare, exploiting human vulnerabilities to gain unauthorized access to sensitive information. According to the Carahsoft 2021 HIMSS Healthcare Cybersecurity Survey, socially engineered phishing attacks accounted for a staggering 45% of security incidents in healthcare systems.

In 2023, healthcare organizations encountered a 279% increase in business email compromise (BEC) incidents. Socially engineered email attacks, including BEC, surged against the healthcare sector during this period. These statistics highlight the frequency and impact of social engineering tactics in the industry.

Additionally, the FBI's 2022 report highlights a concerning trend of cybercriminals targeting healthcare payment processors via social engineering attempts, with incidents resulting in the redirection of funds. These kinds of attacks mean that there is an urgent need to understand and combat social engineering threats in healthcare. Let’s look at social engineering threats in the healthcare space and what organizations can do to remain safe.

social engineering in healthcare

In February 2023, Highmark Health, the second largest integrated delivery and financing system in the U.S., was hit by a socially engineered phishing attack affecting around 300,000 individuals. The breach took place on December 15, 2022, when a Highmark employee clicked on a malicious link that granted unauthorized access to their email account for a span of two days.

As a result, the threat actor potentially obtained access to emails containing protected health information (PHI). Within the compromised email account were various forms of sensitive data, including names, enrollment information, prescription and treatment records, financial information, addresses, and contact numbers. This incident illustrates how an employee, lacking adequate awareness or training, inadvertently interacted with a malicious link, thus giving a threat actor unrestricted access.

It's important to remember that social engineering relies on manipulating individuals into divulging sensitive information or taking actions that compromise security. In this case, the phishing attack exploited the human factor, leveraging the employee's lack of awareness to breach the organization's defenses.

In phishing attacks, like the one mentioned above, social engineering tactics are used to take advantage of how people naturally behave. They use things like trust, curiosity, and the willingness to assist others to trick people into doing things that could compromise security. In places like healthcare facilities, where staff are usually busy taking care of patients and handling paperwork, they might be more likely to fall for these tricks. Also, with more ways to communicate online and with threat actors getting smarter, these types of attacks keep changing and are becoming more advanced in healthcare.

how threat actors infiltrate healthcare organizations

HOSPITAL IT HELP DESKS - ADVANCED SOCIAL ENGINEERING

You might be curious about other ways threat actors manage to infiltrate healthcare organizations. Well one of those ways is by targeting IT help desks. In January 2024, the American Hospital Association (AHA) became aware of a social engineering scam targeting IT help desks. This scheme involves using the stolen identity of employees in critical financial positions, like those handling revenue cycles.

The attackers, believed to be based abroad, call IT help desks and exploit stolen personal information to answer security questions. They then request a password reset and the addition of a new device, often with a local area code, to receive multi-factor authentication (MFA) codes. This successfully bypasses multi-factor authentication measures, granting full access to the compromised employee's email and other systems. The threat actors use compromised email accounts to alter payment instructions with payment processors, redirecting legitimate payments to fraudulent U.S. bank accounts. It's suspected that these funds are eventually transferred overseas.

The sophistication of these social engineering campaigns is evident in the threat actors' ability to bypass MFA mechanisms, posing significant challenges to healthcare organizations. By enrolling new devices with local area codes, threat actors exploit vulnerabilities in authentication processes, granting them unrestricted access to email accounts and critical applications.

MFA

In 2023, Avertium released a Threat Intelligence Report detailing Scattered Spider's unique social engineering methods. The group has a wide range of targets, which include government agencies, tech companies, defense, and healthcare.

Scattered Spider focuses on infiltrating commonly used environments across various industries, including Windows, Linux, Google Workspace, AzureAD, M365, and AWS. They gather intelligence from platforms like SharePoint and OneDrive, seeking information such as VPN and MFA details, as well as help desk procedures.

In one instance, they gained access to Azure Active Directory and acquired user data, including privileged users. According to publicly available reports, Scattered Spider threat actors have:

• Impersonated company IT or helpdesk staff via phone calls or SMS messages to obtain credentials from employees and access the network.
  
  
• Impersonated IT staff to direct employees to use commercial remote access tools for initial access.
  
  
• Pretended to be IT staff to persuade employees to share their one-time passwords (OTPs), used for MFA.
  
  
• Sent multiple MFA notification prompts, causing employees to repeatedly press the "Accept" button (known as MFA fatigue).
  
  
• Persuaded cellular carriers to transfer control of a targeted user's phone number to a SIM card they controlled, gaining access to the phone and MFA prompts.
  
  
• Exploited access to victim networks for various purposes, including ransomware extortion and data theft.

PERSONALLY IDENTIFIABLE INFORMATION (PII)

Healthcare institutions store a wealth of data that, if stolen, creates challenges for victims and may go unnoticed for extended periods. Unfortunately, cybercriminals view this sector as a highly profitable source of personally identifiable information (PII) and associated financial records - easily sold in underground marketplaces.

Both individual cybercriminals and organized crime groups capitalize on these stolen datasets to commit fraud, theft of identity and intellectual property, espionage, blackmail, and extortion. Also, these details can be exploited to distribute malware via spam and phishing to unsuspecting victims.

Identity theft, particularly rampant in healthcare since 2015, involves using stolen PII to access services or resources, apply for credit or loans, open bank accounts, conduct online transactions, file tax returns for refunds, and engage in other illegal activities without the victim's awareness or consent. This means that cybercriminals can use the stolen PII to answer security questions or bypass authentication measures to gain access to sensitive information.

The financial value of stolen data drives these cybercriminal activities. For example, health information and medical records are valued at approximately $82.90 per record for U.S. consumers, while a Social Security number is worth around $55.70. Payment details, physical addresses, marital status, and gender information hold values of $45.10, $38.40, $17.90, and $2.90, respectively.

Threat actors know that if they can leverage readily available personal information, they can also manipulate IT help desk procedures to facilitate unauthorized access to sensitive data. Incidents reported by the AHA highlight the impact of these attacks.

RECENT ATTACKS 

VIAMEDIS AND ALMERYS

In February 2024, nearly half of France’s population became affected by a massive data breach involving two third-party healthcare payment service providers, Viamedis and Almerys. The breach, disclosed by the French data privacy watchdog, CNIL, compromised data belonging to over 33 million customers.

The stolen information includes dates of birth, marital status, social security numbers, and insurance details. While no banking info, medical records, or contact information were compromised, the breach is deemed the largest in France’s history. Viamedis fell victim to a phishing attack targeting healthcare professionals, while Almerys’ breach remains undisclosed. French officials warn of potential phishing and social engineering attacks using the stolen data.

ZEON

In October 2022, the Zeon group, masquerading as software providers, targeted the healthcare sector, exploiting trust and security gaps. They used tactics like "BazarCall spear-phishing" and "spear-phishing," tricking users into installing malware and divulging sensitive information. Zeon demonstrates creativity in evading detection by incorporating diverse keywords and specifically honing in on the healthcare sector, using the names of reputable healthcare and insurance companies.

The threat actors also made use of legitimate remote access tools and exploited vulnerabilities in Microsoft Exchange to gain unauthorized access. In September 2022, an alert was issued regarding the Zeon group impersonating a Health-ISAC member. They used counterfeit invoices to redirect unsuspecting users to a fake call center under their control. Upon infiltrating the healthcare network, they stole patient data and potentially deployed ransomware to demand payment for system restoration.

RECOMMENDATIONS FOR HEALTHCARE ORGANIZATIONS

The AHA puts emphasis on the importance of strict security protocols for IT help desks. He suggests measures such as verifying requests with a callback to the employee's registered number and contacting their supervisor. In response to falling victim to the IT help desk scam, one major health system now mandates that employees appear in person at the IT help desk for such requests.

In response to these escalating threats, healthcare organizations must adopt proactive measures to enhance cybersecurity resilience:

• Implement comprehensive employee training programs to raise awareness of social engineering tactics and reinforce security best practices.
  
  
• Enhance authentication mechanisms beyond traditional MFA, incorporating strict verification processes and device enrollment protocols.
  
  
• Strengthen data protection measures, including encryption and access controls, to protect sensitive information against unauthorized access.
  
  
• Establish incident response protocols and conduct regular security assessments to identify and mitigate vulnerabilities promptly.

How Avertium is Protecting Our Customers

It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe from Social Engineering attacks:

• Avertium partners with KnowBe4 – a company that offers user awareness training. The service also includes Incident Response Table-Top exercises (IR TTX) and Core Security Document development, as well as a comprehensive new-school approach that integrates baseline testing using mock attacks.
• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:
  • Risk Assessments
  • Pen Testing and Social Engineering
  • Infrastructure Architecture and Integration
  • Zero Trust Network Architecture
  • Vulnerability Management
• Avertium simplifies Governance, Risk, and Compliance (GRC) by providing contextual understanding instead of unnecessary complexity. With our cross-data, cross-industry, and cross-functional expertise, we enable you to meet regulatory requirements and demonstrate a robust security posture without any vulnerabilities. Our GRC services include:
  • Cyber Maturity
  • Compliance Assessments and Consulting
  • Managed GRC
• Note: We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers.

Supporting Documentation

Unraveling Scattered Spider: A Stealthy and Persistent Threat Actor Targeting Telecom Networks (avertium.com)

Scattered Spider Cyber Threat Actor: Decoding Intricacies (safeaeon.com)

33m French citizens data stolen in healthcare billing breach • The Register

New Social Engineering Attack Simulates Healthcare Software  (ispartnersllc.com)

Healthcare under Attack: What Happens to Stolen Medical Records? - Informazioni sulla sicurezza (trendmicro.com)

Ransomware disrupts hospitality, healthcare in September | TechTarget

Scattered Spider | CISA

Rising AI Driven Cyber Attacks Debilitating Hospitals and ERs (centretechnologies.com)

Hospital IT help desks targeted by sophisticated social engineering schemes | AHA News

Insider Threats in Healthcare (avertium.com)

202208181300_The Impact of Social Engineering On Healthcare_TLPWHITE (hhs.gov)

HC3 Warns of Increase in Vishing Attacks and the Dangers of Social Engineering (hipaajournal.com)

Healthcare Organizations Experience 279% Increase in… | Abnormal (abnormalsecurity.com)

Social Engineering and Healthcare - Security Through Education (social-engineer.org)

HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million | HHS.gov

5 Threat Series - Email Phishing Attacks Presentation (hhs.gov)

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients | AHA

Phishing Attacks Targeting the Healthcare Sector (social-engineer.com)

Social Engineering Examples in Healthcare | ChartRequest

AHA Warns Hospitals of IT Help Desk Social Engineering Scheme (healthitsecurity.com)

Social Engineering in Healthcare: Recognizing and Mitigating the Human Factor - HIPAA Secure Now!

9 Ways to Social Engineer a Hospital (securitymetrics.com)

How Social Engineering Attacks Present Unique Risks for Health Care (risk-strategies.com)

The Rising Threat of Social Engineering Attacks in Healthcare - HIPAA Secure Now!

202208181300_The Impact of Social Engineering On Healthcare_TLPWHITE (hhs.gov)

Top 10 Healthcare Cybersecurity Challenges, Problems, and Issues for 2024 (scarlettcybersecurity.com)

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.