October is Cybersecurity Awareness Month
Throughout the month we will take on cybersecurity subjects that continue to be challenging in healthcare today and ask our experts to weigh in.
Topic 1: Phishing
Phishing continues to be the most prevalent cybersecurity threat in healthcare. And the most common of those is through email. We asked why this continues to be a challenge? What recommendations do they have for IT teams to help this problem?
David Finn, Executive Vice President, Governance, Risk, Compliance, First Health Advisory
LinkedIn: David (Samuel) Finn
Phishing does continue to be the number one attack vector in healthcare, for several reasons. First, healthcare has high value data, a lot of it is all consolidated to make care easier. However, the sensitivity of this data can be used for identity theft, insurance fraud, obtaining medical services, and a myriad of other abuse.
High turnover among healthcare employees also makes providers more susceptible to phishing attacks. A lack of training or timing of training, taken with the turnover rate also makes it easier for the ‘bad guys’. Healthcare tends to have complex IT environments due to the hyperconnectivity that we have created by demands of care, third parties, and even patient-driven needs. While the idea of a busy and distracted workforce may apply to any business, in healthcare you have an entire organization focused on patient care. If you have a care issue in the subject of the email or a realistic scenario, maybe an actual patient name in the message, for example, people moving fast but trying to help may click a link without appropriate scrutiny. We can’t forget that phishing emails are getting very sophisticated and very targeted at this point, including the use of AI to write very convincing emails.
Finally, many providers or healthcare-related businesses do not have robust incident response plans. Without them or failing to regularly practice, it can be very difficult to respond to a phishing attack quickly or effectively when the attack does come.
Addressing these challenges requires a comprehensive approach that includes regular training, robust security policies, effective incident response plans, and running regular exercises, as well as simulated phishing exercises to reinforce that training and awareness of new issues.
We see a tremendous uptick in Multi-Factor Authentication (MFA) in the sector, but it tends to be on the remote-access systems that people think are at the most risk, such as EMRs, financial systems, or other clinical systems. Where we don’t often see it is on the email itself, which becomes the front door. You always must have the basics in place: email filtering and security; regular software updates and patching, and, of course, monitoring tools and analytics looking at email traffic and end-user behavior.
Chad Holmes, Security Evangelist, Cynerio
LinkedIn: Chad Holmes
The reality of cybersecurity is that it only takes one human error to make an entire organization vulnerable. The likelihood of such errors is even higher in healthcare environments where patient care is always the top priority, as it should be. With this in mind, IT teams must assume human failure and adopt best practices to minimize the impact of phishing attacks.
The recently released HPH Cybersecurity Performance Goals have done an outstanding job in documenting how this can be done using basic approaches including improved cybersecurity training and broader adoption of email security tools. More realistically, implementing deeper defenses will be the biggest industry win, including working with the assumption that phishing will happen, and therefore implementing responsive approaches like healthcare-focused Network Detection and Response along with improved incident planning and response.
All healthcare IT team members should become intimately familiar with the HPH CPGs which provide a clear roadmap to improving the security of their environments.
Heather Randall, PhD, Chief Compliance Officer, TrustCommerce, a Sphere Company
LinkedIn: Heather Randall, PhD
The biggest challenge here is that phishing continues to evolve using the very technologies that we are often implementing to make our jobs easier. Leveraging AI allows fraudsters to develop more sophisticated, convincing, and targeted hooks. We must remember that phishing is, at its core, a social engineering tactic – meaning that we must rely on the instincts of people, not just technology, to combat it. In addition to our strong technology control frameworks, we cannot overstate the importance of training and awareness for everyone within the organization.
Nandy Vaisman, VP of Operations & CISO, Vim
LinkedIn: Nandy Vaisman
Phishing remains a persistent challenge in healthcare primarily because it exploits the human element, which is often the weakest link in cybersecurity.
Despite technological advancements and increased awareness, end users continue to serve as a bridge between untrusted and trusted zones. The current approach of enhancing email trust through technology and awareness training, while helpful, is not sufficiently addressing the root of the problem.
The fundamental issue is that we continue to rely on end users to make security decisions, rather than designing systems that assume user compromise and protect critical assets accordingly.
Most directly, I would suggest shifting the security mindset. Essentially, instead of solely focusing on preventing compromised situations, assume that end users will eventually be compromised and design security measures accordingly.
The next best thing to do is to implement industry best practices such as strict access controls, enhancing email filtering, conducting regular security training, deploying multi-factor authentication, segmenting networks, and using Data Loss Prevention tools, while gradually adopting a Zero Trust framework starting with critical assets.
Bridget O’Connor, COO, Fortalice Solutions
LinkedIn: Bridget S.
Phishing remains a significant challenge in healthcare due to the sensitive nature of data and the emotional tactics attackers use to manipulate staff. The decentralized structure of many organizations complicates consistent security practices. To address this, IT teams should implement enhanced training programs that engage employees with real-world examples of phishing tactics alongside periodic simulations to reinforce this knowledge. Investing in advanced email filtering solutions can help catch phishing attempts before they reach users. Additionally, establishing a straightforward process for reporting suspicious emails fosters a culture of vigilance while developing and regularly updating incident response plans, which ensures swift action when attacks occur. IT teams can empower staff and strengthen defenses against phishing threats by focusing on these strategies.
Lance Reid, CEO, Telcion Communications Group
LinkedIn: Lance Reid
Email phishing remains the most common form of cyberattack for the simple reason that it’s the most effective. The problem lies in the fact that users often aren’t cautious enough about which emails they open, or more importantly, click through. Hackers have gotten very good at disguising emails to look very similar to the legitimate emails that we receive on a regular basis, causing us to be desensitized to the threat. While many phishing emails get caught by advanced email security platforms, a handful still slip through, which leaves only one final line of defense: the user. We must emphasize 100% participation in security awareness training, so users can become adept at recognizing and avoiding phishing attempts.
Neil Jones, CISSP©- Director of Cybersecurity Evangelism, Egnyte
LinkedIn: Neil K. Jones
At its base, phishing preys on IT users’ inherent trust of internal organizations, business colleagues and functions that the users have successfully performed time and time again – like clicking on links that appear in ordinary emails or text messages. For that reason, we need to educate users that clicking on unexpected links can be risky, no matter who the “sender” might be.
IT leaders can get a step ahead of phishing attacks by doing the following:
- Educating users about the potential dangers of phishing messages, and even sending out internal test messages, to determine which users click on the test messages and why. Each of those clicks can become a teachable moment.
- Gamifying the phishing prevention process, by giving internal accolades or even small-dollar gift cards to users who don’t click on phishing emails or proactively report such messages to their IT teams.
- Explaining to business executives that senior-level leaders are frequently targets of spear-phishing attacks, because they generally have access to more data than average IT users, especially sensitive corporate data.
- Reminding users to validate phishing emails with a different communications approach. For example, if a user receives an email message that they believe to be phishing-generated, they should call or text the sender to confirm that the message is legitimate.
- Utilizing internal collaboration portals that increase data protection and limit the amount of email and text communication to begin with.
Lesley Berkeyheiser, CCSFP, CHQP, Senior Assessor, DirectTrust
LinkedIn: Lesley Berkeyheiser
Phishing attacks, particularly via email, remain one of the most persistent cybersecurity challenges in healthcare, largely due to their continuously evolving tactics. These attacks exploit gaps in awareness, lack of robust email security infrastructure, and strained IT resources. The common vulnerabilities include insufficient email filtering for malicious links and attachments, inadequate tools for validating email senders and domains, and a lack of comprehensive staff training on how to spot and handle phishing attempts.
To combat these threats, healthcare organizations must adopt a multi-layered approach to email security. Implementing multi-factor authentication (MFA) is a baseline safeguard to prevent unauthorized access, while tagging external emails alerts staff to potential threats. But even the most current use of technology cannot prevent an attack if the “people factor” is not addressed. Ongoing reinforcement through education, training and the use of automated phishing campaigns and table-top exercises for all workforce members strengthens employees so that they “practice” how to quicky recognize and appropriately respond to phishing attempts. A proactive strategy that blends advanced security tools with human awareness can significantly reduce the risk of falling victim to phishing attacks in healthcare settings.
Mohan Badkundri, Vice President of Development, HSBlox
LinkedIn: Mohan Badkundri
Security awareness, spam filters/secure email gateways, Multifactor authentication (MFA) in a Zero Trust framework, and enhanced anomaly logging are common practices deployed by firms worldwide to combat phishing. One area that firms should start utilizing even more is to implement machine learning (ML) as a key strategy to combat phishing attacks, leveraging its capacity to analyze, adapt, and recognize patterns that may signify harmful activities. ML can be utilized to monitor user behavior, analyze the content of emails to identify potential phishing signs, and flag spam or malicious messages. It also can examine URL domains and links to highlight suspicious ones, providing users with prompt feedback about the safety of links or attachments, thus improving their security awareness. Moreover, it can be incorporated into current security frameworks, including firewalls and intrusion detection systems, to establish a comprehensive defense strategy against phishing attacks.
Ryan Finlay, Principal CISO, CereCore
LinkedIn: Ryan F.
As generative AI gains traction, the era of poorly written phishing emails has come to an end; with a few clicks, anyone can create a professional, convincing email. The good news is that it’s not just bad actors who harness AI. Healthcare organizations should also use AI-driven services to analyze patterns and detect non-human-generated messages.
Essential controls are essential. Flag external emails, use geo-blocks when necessary, and actively maintain an effective email security solution.
I recommend fostering a culture of security awareness across the organization and seizing every opportunity to educate employees about cyber threats. A good tactic is to make education relatable to employees’ personal lives, which translates into stronger cybersecurity practices in the office.
Greg Surla, SVP, Chief Information Security Officer, FinThrive
LinkedIn: Greg S.
Phishing succeeds by exploiting human trust rather than bypassing security controls. Attackers only need to deceive one person, and they send out thousands of phishing messages. The odds of an attack are in their favor.
The most effective strategy against phishing is to empower employees to recognize phishing messages and become a human firewall. Use training and periodic testing to gauge the effectiveness of this approach and adjust as necessary.
It’s crucial for the company’s C-suite and senior leadership to be involved. Their participation ensures the message is clear: failing to spot a phishing message has severe consequences for the organization.
Rob T. Lee, Chief of Research and Head of Faculty, SANS Institute
LinkedIn: Rob T. Lee
Phishing remains pervasive in healthcare because it exploits the human element—a vulnerability that technology alone cannot fully mitigate. Email is a trusted communication tool in any organizational setting, and thus attackers mimicking urgency or authority find easy success when attempting to deceive staff. Now with generative AI also at their fingertips, phishing email campaigns are becoming more sophisticated and convincing.
To tackle this ongoing challenge, IT teams must prioritize continuous education and awareness for all levels in healthcare, such as conducting simulated phishing exercises. Additionally, layered security measures like advanced email filtering, multi-factor authentication, and robust incident response protocols are essential to reduce the risk and impact of these attacks. We’ve seen the scale of devastation that can follow a healthcare breach, and by strengthening the weakest link—ourselves—we can prevent the escalation of potential consequences.
Scott Littrell, Head of Technology Services, TruBridge
Cybersecurity, particularly social engineering, has evolved from being primarily an IT responsibility to an organization-wide concern. This is especially true in healthcare where high-valued patient data is at stake and email is the primary method for bad actors to infiltrate service lines.
Organizations must strike a careful balance between relaying information to their communities while avoiding oversharing that could aid attackers. Bad actors often exploit the altruistic nature of healthcare workers. For example, they use seemingly “internal” knowledge to convince end-users of the legitimacy of phishing attempts thereby opening the door to patient data breaches.
AI has also raised the bar on these nefarious phishing attacks. Attackers are now able to create highly convincing and harder-to-detect emails. They have also become more sophisticated with new tricks such as personalized targeting, improved grammar, context-aware messaging, and dynamic content. Health IT departments, already overwhelmed and facing budget constraints, struggle to keep up with these evolving tactics.
Beyond common tools, we suggest continued end-user education to prevent phishing attacks. Consider internal phishing campaigns that mimic real world attempts as part of your regular training and provide staff with easy reporting channels to flag suspicious emails. Incident response plans are another valuable step to take.
An incident response plan, including a phishing playbook and regular tabletop exercises, ensures everyone is aware of their role in the event of a cybersecurity emergency. Leaders from all service lines should participate in and support these exercises to maximize effectiveness while conveying the importance of repetitive training and education to their healthcare teams.
While partnership opportunities are not suitable for everyone, it’s important to explore and assess whether one makes sense. Recently, Microsoft offered financial incentives for rural healthcare providers to enhance security and training. Monitor and explore these external support options while also engaging with your existing EHR partners.
Bad actors aren’t ceasing their attack efforts any time soon. Take every step possible to guide your facility and offer protections for stronger cybersecurity functions.
Dave Sampson, Vice President of Cyber Risk & Strategy, Thrive
LinkedIn: Dave Sampson
The main element behind successful phishing attacks is taking advantage of normal human behavior. This issue shows that just one mistake in the cyber equation can result in a major breach, and the advancement of generative AI has made phishing messages more sophisticated, increasing the overall risk. Third-party email filtering solutions and regular security awareness training are the most effective ways to mitigate phishing attacks. Regular training, along with phishing tests and targeted retraining, are proven methods to reduce user credential leaks from this very common attack method.
Mike Kiser, Director of Strategy & Standards, SailPoint
LinkedIn: Mike Kiser
Phishing continues to be the most prevalent cybersecurity threat in healthcare because of the high-value data healthcare organizations have access to, including personal, medical and financial information, as well as the lack of cybersecurity training for these workers – all increasing their vulnerability. The United States’ healthcare systems remain one of the least cyber resilient industries due to the unalignment of protective resources and the services we rely upon the most. Email specifically has become a high risk in healthcare because of its widespread use, lack of authentication and the reliance on older technology and systems that lack the robust cybersecurity defenses of newer technology.
Aside from the need for more funding to keep this sector secure, the primary way organizations can take action against phishing is by spreading awareness about the signs of fake accounts – like misspelled words, urgent tone, or email addresses that don’t match the sender. IT can also prevent employees from being victimized by phishing attacks by advocating for companies to implement proper security measures across employee accounts and encourage security best practices. These include multi-factor authentication, passkeys, and enabling log-in attempt alerts.
David Bailey, EMBA, CISSP, Vice President, Consulting Services, Security, Clearwater
LinkedIn: David Bailey
Individuals remain primary targets for threat actors seeking to launch attacks, deploy malware, steal credentials, and exploit vulnerabilities for disruptive or financially motivated purposes. These actors are constantly evolving their tactics, using increasingly targeted methods to deceive individuals into thinking interactions are legitimate—such as opening files, clicking links, or providing personal information. Organizations should prioritize ongoing training and awareness programs to keep individuals informed about the latest techniques used by threat actors. It’s also crucial for IT teams to implement strong controls to protect identities and authentication. Additionally, continuous monitoring and response capabilities are essential for swiftly addressing and mitigating the impact of any successful attempts. To build resilience, organizations must regularly test and validate the effectiveness of their controls, ensuring they can quickly respond to and recover from any attacks.
David Slazyk, Chief Information Officer, Nextech
LinkedIn: David Slazyk
Phishing remains a persistent cybersecurity threat in healthcare because attackers aim to exploit one of our most valuable yet vulnerable resources—people. The ‘human firewall’ is a critical form of defense against cybersecurity attacks, yet this cannot be the primary control to stop phishing attempts. In the healthcare industry, the stakes are even higher because we’re safeguarding sensitive health data that attackers are eager to obtain. Even with robust training, professionals can fall victim to sophisticated phishing attempts. Therefore, the first and most critical step in stopping cybercrime is implementing the right technology to prevent phishing emails from reaching users. By deploying advanced email security tools that filter out malicious messages before they hit inboxes, going beyond basic filters, we minimize risk and reliance on staff to make these pivotal split-second decisions. This approach stops threats at the gate, making our people a secondary line of defense rather than the first.
Cecil Pineda, Chief Information Security Officer and Senior Vice President, R1
LinkedIn: Cecil P.
Phishing is the most effective cybersecurity threat in healthcare because it targets the human element – people are inherently easier to deceive than technology. Attackers craft emails to evade security tools, hiding malicious payloads in ways that entice people to click. While email security systems can block a large volume of phishing attempts – sometimes up to 99.9% – the sheer volume is overwhelming. For instance, it’s not uncommon for organizations to receive hundreds of thousands of phishing emails in a week. Even if only 10 make it through the filters, it’s enough to pose a significant threat.
The real challenge lies in educating users. Many of the successful incidents that were thwarted involved individuals reporting suspicious emails. This underscores the importance of continuous awareness. IT teams should focus on enhancing phishing awareness through ongoing training. Teaching employees to recognize key elements of phishing emails is one of the most effective controls. Regular simulations, clear reporting mechanisms, and reinforcing the importance of staying vigilant can empower employees to be the last line of defense when security barriers are breached. In the end, the most effective tool against phishing is an informed and attentive staff.
Thyaga Vasudevan, Executive Vice President, Product, Skyhigh Security
LinkedIn: Thyaga Vasudevan
Amid concerns about a rise in phishing attacks targeting healthcare organizations, proper cyber training for all staff, including human resources, should be a top priority for IT teams.
Email is the lifeblood of enterprise communication and collaboration, but it is also still one of the most effective ways to distribute malware or ransomware. Bad actors know the saying too – “if it’s not broken, don’t fix it.” Today, broader adoption of AI has gifted bad actors the ability to create believable correspondence when attempting to gain quick trust of employees. And we humans are, unfortunately, still the weakest link in cybersecurity.
To protect all organizations against these threats, but especially those with sensitive data, IT teams and leadership must prioritize cybersecurity measures and cyber training in all areas of the company and for all staff, from human resources to the CEO themself.
Nick Kathmann, CISO, LogicGate
LinkedIn: Nicholas Kathmann
Cybercriminals know that disrupting the healthcare industry can negatively impact patient care and even lead to loss of life – which makes healthcare organizations highly motivated to pay ransomware demands quickly. Unfortunately, despite increased awareness, addressing this threat is still a challenge – especially for smaller, more rural healthcare organizations with limited resources. These facilities often have limited security solutions, smaller IT and security departments, and minimal training opportunities.
Compromised credentials remain one of the most common vectors for attackers, with many leveraging email or SMS phishing scams to trick victims into giving away their login information. These attackers frequently target average employees (rather than C-suite executives who may have more rigorous security measures in place), and – thanks to AI – attackers now easily craft convincing, personalized emails that mimic a colleague or friend. Ultimately, that means phishing is a human problem more than a technology problem – and like marketing experts, attackers have had many, many years to perfect their tactics and identify the messaging most likely to resonate with their audience.
This means security training is critical for employees at all levels – everyone from the CEO to the newest intern needs to be able to confidently identify the signs of a phishing scheme. Ongoing training can help employees spot phony websites (attackers love to trick their victims with just slightly wrong URLs), odd requests from executives, and other suspicious signs. Ultimately, it’s up to humans to outsmart their attackers – and training is critical. Luckily, this doesn’t always require a large financial investment. Cybersecurity education organizations like SANS offer free resources to help organizations navigate this process. When that fails, the old adage of “Defense in depth” comes into play where things like least privilege/need to know, posture assessments, MFA, device authentication, url/domain reputation monitoring, IAM monitoring, email security, DLP and UBA come in to help thwart the attack and if successful – detect and respond quickly.
George Pappas, CEO, Intraprise Health
LinkedIn: George C. Pappas, CFCHE
Phishing remains a persistent threat because cybercriminals, especially with the use of generative AI, can craft emails that seem plausible enough to deceive recipients into clicking. Email is the most common medium for these attacks, as it continues to be the primary method for internal communications, though phishing can also occur through texts and other platforms. Another factor at play is the high potential for distraction among employees, which can reduce their ability to distinguish between legitimate and fraudulent messages. Even a brief lapse in vigilance can allow a well-crafted phishing attempt to succeed, opening the door to various types of security breaches.
Suggestions for IT teams: Implement a regular regimen of phishing tests, using a variety of methods, templates, and approaches to mimic real-world tactics. For employees who consistently fail these tests, consider isolating them within a more secure section of your network that enforces stricter authentication protocols and dynamic access challenges for systems and applications. Additionally, adopt basic Zero Trust principles, at a minimum, to add multiple layers of protection to minimize the risk in case of a breach.