Laura M. Cascella, MA, CPHRM

Cybersecurity and cyberattacks have been a persistent and escalating concern in healthcare with the advancement of electronic health records, digital data, medical devices, personal electronic devices, cloud technologies, and artificial intelligence (AI). As technology has evolved, so too have the activities and sophistication of cyber criminals.

The practice of “phishing” is one of the most widespread tactics used to trick individuals into revealing sensitive and proprietary information with the purpose of gaining access into systems.¹ Phishing is a type of social engineering that attempts “to gain usernames, passwords or medical data, for malicious reasons, using communications such as email or messaging by encouraging recipients to click links to websites running malicious code or to download or install malware.”²

A 2021 Healthcare Information and Management Systems Society (HIMSS) survey of healthcare cybersecurity professionals found that the most significant security incidents over a 12-month period involved phishing.³ Further, the 2022 iteration of the HIMSS survey found that while phishing is pervasive, awareness is not.⁴

To proactively address threats from phishing attacks, healthcare organizations of all types and sizes need to implement strategies to raise awareness, educate their workforces, and protect their systems. Examples of strategies to combat phishing include the following:

• Work to build and sustain a strong security culture in your organization that focuses on an enterprise-wide approach to security and privacy.
• Develop and implement a comprehensive cybersecurity training program for providers, staff, volunteers, etc., which includes education and training related to various types of phishing attacks — e.g., spear phishing (targeted phishing attacks), smishing (texting phishing attacks), and vishing (voicemail or phone phishing attacks).
• Use simulated phishing emails, texts, and voicemails as part of training to help staff members learn to identify suspicious messages. Make sure simulation exercises are part of a training program that focuses on enhancing knowledge and learning rather than shaming or punishing employees.
• Train your workforce in security best practices related to preventing phishing attacks, including:
  • Being aware of common signs of phishing attacks, such as messages with typos and other grammatical errors, messages with unusual greetings or tone, odd telephone numbers or email addresses, messages sent from public email domains or misspelled domain names, messages with suspect attachments, and links with suspicious destination addresses.
  • Not responding to suspicious emails, texts, voicemails, or phone calls. Guidance from anti-virus provider Kaspersky notes that “Even prompts to reply like texting ‘STOP’ to unsubscribe can be a trick to identify active phone numbers.”⁵
  • Never providing passwords or account recovery codes via email, texts, or phone.
  • Verifying the authenticity of messages, particularly if they ask the receiver to take actions that deviate from standard processes.
  • Being wary of urgent emails, texts, or messages that request immediate action or state short-turnaround deadlines or limited-time opportunities.
  • Going directly to the source (e.g., a person within the organization or an external organization’s website) to confirm requests or verify information. If an individual has any questions about the veracity of a message, they should not click on links or provide protected information.
  • Reporting all known and suspected phishing attacks to the organization’s information technology (IT) department.
• Run educational campaigns within your organization to raise awareness about phishing and its potential consequences. Use a variety of methods to engage your workforce, such as email reminders, intranet posts, videos and other graphics, contests, and more.
• Implement technical safeguards to help block phishing attacks or prevent them from being successful (e.g., up-to-date antivirus software, spam filters, web filters, firewalls, multi-factor authentication, strong password requirements, data encryption, system lockouts, etc.). Make sure any recommended security patches or software updates are installed immediately.
• Limit the amount of information that your organization publishes on publicly available webpages. Staff directories, contact information, and organizational charts can help cyber criminals identify targets and create savvier phishing attacks.
• Maintain awareness of evolving cybersecurity strategies. As cyberattacks become more sophisticated, particularly with the advancement of AI, so too will the tactics to prevent them.⁶