Phishing: A hospital’s worst nightmare

Hospital employees often fall victim to phishing scams, thereby releasing sensitive patient information. 

Share This Post

Health care workers have a lot to worry about, but recent reports of data breaches may add yet another problem to their already stressful work environments. Hackers have begun to narrow in on what it takes to get patient information directly from the source, and apparently, all they need to do is ask.

Despite the importance of protecting patient confidentiality, hospitals are becoming easy targets for phishing attacks. These scams involve cybercriminals sending out emails to intended victims, posing as some sort of authority figure in order to simply ask these health care workers for their login credentials.

The breach itself isn't always the only problem

Perhaps the most recent example of a confirmed phishing attack against a hospital was the scam that befell City of Hope Hospital in Duarte, California. The hacker behind this scheme was granted access to employee accounts. Although most patients affected by this particular incident only had their name and medical record number compromised, a portion of the group also had personally identifiable information (PII) like their home address leaked. A single patient also had his or her Social Security number fall into the hands of the criminal.

"Downtime is the bane of any business."

While those who had their information stolen were the real victims here, the breaching of patient data wasn't the sole concern. Email accounts of all employees had to be temporarily disabled as an outside firm assessed how far this scheme had reached. This means multiple workers weren't allowed access to important information, slowing down certain duties. Downtime is the bane of any business, but it's potentially life-threatening when it comes to the medical sector, showing just how big of a problem phishing can be.

Hackers want more than PII

Although PII like a date of birth or home address can help a hacker steal a patient's identity, this type of data isn't the only profitable information contained within a medical document. Health care records often contain information some patients might find embarrassing – a pressure point cybercriminals can push to make a profit.

A good example would be the attack levied against the St. Joseph Health collective. This umbrella covers multiple hospitals and health care facilities, making it a perfect target. In 2012, St. Joseph Health found itself the target of a cyberattack. When the smoke cleared, nearly 31,000 patients had their medical information stolen. What's really interesting about this particular attack was the fact that the hacker or group of hackers didn't actually get the PII of their victims. Rather, they only stole lab results and body mass index data.

Most people might think that type of information is benign, but the courts seemed to believe otherwise. Patients affected by the breach will receive $242 each, totaling $7.5 million for the victims and another $7.5 for legal fees. Although this $15 million mistake wasn't the direct result of a phishing scam, it shows that health care facilities need to protect more than their patients' PII. Hackers will use any information they're given to extort money out of their victims, even if it's an embarrassing lab test result.

Cybercriminals extort people by threatening to release sensitive medical information. Hackers have no problem using embarrassing medical information to their advantage.

What can health care facilities do?

Health care administrators need to understand the risks their employees are exposing patients to by being so cavalier with login information. As such, staff members need to be trained on how to spot and mitigate phishing attacks, and how to report them to the proper authorities. Chris Hadnagy, CEO of consulting firm Social-Engineer, found that 93 percent of institutions don't educate their employees about the dangers of phishing.

Clearly, the first place to start is making sure workers understand the gravity of these kinds of attacks. That said, there are other steps medical facilities can take in order to ensure data security Fax over IP is one of the most secure methods of document transfer out there. Hackers very rarely target fax machines, meaning that workers can rely on the authenticity of a message sent via FoIP. A FoIP system, combined with an educational effort surrounding phishing, could very well save your medical facility from an embarrassing attack.

Enhance enterprise communication, collaboration and compliance efforts with a proven FoIP solution from FaxCore. Contact FaxCore today to learn more about their 'Partly-Cloudy' fax solutions.

More To Explore

Ready to Take a test Drive?

Book your free demo today: