The healthcare industry has always been an attractive target for cybercriminals – a treasure trove of sensitive information that can be exploited for financial gain. But recently, attacks on this sector have been mounting – especially attacks delivered through email. In fact, we have seen an alarming 37% increase in phishing targeting healthcare in the last 12 months alone. The sector is uniquely vulnerable to email attack tactics, and at the same time, criminal groups are adopting increasingly sophisticated techniques that enable them to evade traditional email defences.
Healthcare providers must urgently review and update their email security strategies to protect patients and personnel from the rising tide of malicious emails.
Why healthcare is a prime target
While phishing is a common threat to most sectors, healthcare has become a favourite target. The industry’s extensive store of medical records makes for a very lucrative prize – in fact, research indicates that a single record can fetch up to 20 times the price of credit card data on the dark web. Medical records are stuffed with personally identifiable information (PII) that can be used to fuel further malicious activity, and much of this data is permanent, giving it a long shelf life.
The sector is also highly vulnerable to ransom and blackmail tactics. Criminal gangs will routinely threaten to leak sensitive medical records online unless the target organisation pays up. Disrupting essential healthcare services can have disastrous consequences for patients’ wellbeing and cybercriminals know that desperate organisations will pay a hefty ransom to halt an active attack.
Healthcare providers are also seen as something of an easy target – one that often struggles to find the budget and resources to keep their IT and security systems up-to-date. Healthcare’s vast ecosystem of third-party vendors also presents significant vulnerabilities, expanding the number of entry points criminals can exploit.
The impact of attacks on the healthcare sector has been demonstrated in multiple recent incidents including the Synnovis breach, which caused the cancellation of thousands of appointments, and the massive data breach suffered by NHS Scotland.
Why high staff turnover is an overlooked weak link
Alongside technical issues, the sector is particularly vulnerable to social engineering tactics like phishing due to its high rate of employee turnover.
Frequent onboarding of new staff means that many are unfamiliar with internal security protocols and communication patterns, making it easier for cybercriminals to carry out impersonation attacks. This also means employees are less likely to know their colleagues personally, making it harder to spot the impersonation tactics widely used in phishing.
Compounding this, healthcare professionals operate in high-pressure, fast-paced environments. When workloads are heavy and time is scarce, staff are more likely to open and act on emails without scrutinising them carefully.
The rise of sophisticated Vendor Email Compromise (VEC)
Most healthcare providers operate within vast and complex supply chain webs, with large numbers of third-party vendors, contractors, and others requiring regular access to IT systems. This leaves the healthcare industry highly exposed to an increasingly popular tactic known as Vendor Email Compromise (VEC).
Unlike traditional phishing, where attackers impersonate internal employees, VEC targets trusted third-party vendors. We have seen VEC attacks on healthcare surge by 60% in the past year alone.
In these attacks, cybercriminals will often impersonate trusted contacts using email spoofing techniques to hide their identities. More advanced attackers will go as far as infiltrating vendor email accounts with account takeover tactics, and then send malicious emails directly from the legitimate email account. Their goal is to manipulate ongoing communications to deceive healthcare staff into sharing data and login credentials or transferring funds to the attackers’ accounts directly.
Moving beyond employee awareness training
Increasing cyber threat awareness through employee training has long been a favoured tactic to countering these attacks. However, while still important, it is no longer enough to protect healthcare organisations from today’s sophisticated cyber threats.
Modern phishing attacks often appear highly realistic, especially in today’s generative AI era, where threat actors can quickly and accurately craft sophisticated emails that closely mimic trusted contacts. These attacks can not only easily evade detection by employees – even the most security aware employees – they can also bypass traditional email security tools. These tools are usually based on policies that look for known indicators of compromise, like malicious links or bad senders. By omitting these indicators and instead relying on social engineering, attackers are able to successfully compromise their targets without raising any red flags.
To counter these threats, healthcare organisations must adopt advanced security measures that extend beyond traditional awareness programs and email security technologies.
Solutions powered by machine learning and artificial intelligence have a major role to play against today’s modern phishing attacks. By learning and baselining “normal” email behaviour, these solutions can detect and block malicious anomalies before they reach an employee’s inbox. These systems continuously adapt to evolving threats, offering protection against even the most convincing impersonation attempts.
Layering technical solutions with ongoing training and phishing simulations provides the most effective defence. While it is valuable for personnel to be aware of common phishing tactics, they should not be expected to spot them reliably every single time.
The need for regulatory evolution
Regulatory bodies also have an important role to play in supporting healthcare providers as they manage the growing volume of cyberattacks. However, many compliance frameworks remain focused on legacy security issues, leaving healthcare providers vulnerable to new and fast-changing tactics like VEC and AI-assisted phishing.
Regulators need to ensure there are steps in place to frequently review the state of play in cyber threats to the sector, and update guidance and mandates accordingly.
Enforcing the implementation of specific processes like multifactor authentication and steering organisations towards stronger, behavioural-based email security will help to mitigate these threats. Prioritising vendor risk management and ensuring consistent cybersecurity protocols across the supply chain will also reduce the risk of VEC attacks.
A proactive future for healthcare email cybersecurity
It’s clear that cybercriminal gangs are only growing more aggressive and brutal in their attacks on healthcare, emboldened by the many successful raids we have seen over the last few years.
Implementing multi-layered defence strategies, including advanced AI-powered systems, will be key to countering VEC and other phishing threats. By combining technological solutions with tough regulatory frameworks and continuous staff training, healthcare providers can better protect their operations, sensitive data, and, most importantly, patient safety.
By Mike Britton, CIO at Abnormal Security
