HC3 Warns Healthcare Organations Of Social Engineering and Vishing Attacks

A warning has been issued by the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center to warn healthcare organizations about voice phishing and social engineering attacks. 

Social engineering, in the context of cybersecurity, is the exploitation of individuals by malicious attackers for their own benefit. Social engineering is a general term that ecompasses a wide range of cyberattacks such as phishing, spear phishing, business email compromising whaling, scareware, baiting, callback phishing, SMS phishing, and pretexting. 

Social engineering techniques are employed in phishing attacks to deceive employees into giving up private information, such as protected health information, login credentials that give the threat actor access to the network, or malware that grants remote access to devices and the networks to which they are connected. These attacks can be extremely targeted or carried out in bulk, with the victims being carefully selected and baits made for certain people.

Phishing is the most popular method used by ransomware threat actors to gain initial access to healthcare networks. According to a 2021 HIMSS Healthcare Cybersecurity Survey, phishing attacks were involved in 45 percent of healthcare cybersecurity incidents. The HC3 has warned healthcare organizations of the dangers of vishing or “voice phishing”. Vishing is a type of social engineering that involves scamming individuals over the phone and encouraging them to provide sensitive information. According to a report issued by Agari, the number of phishing attacks have increased by 6 percent from Q1, 2022 to Q2, 2022. However, the use of vishing has increased by 625 percent. 

The HC3 have also advised healthcare organizations to be aware of callback phishing. First introduced by the BazarCall campaigns in March 2021, callback phishing is a form of social engineering in which the attacker sends a fake email and calls, before issuing a fake invoice or subscription notice. These emails are frequently not recognized as harmful by email security programs, and these programs cannot determine if a phone number is harmful or not.

In order to protect against all forms of phishing attacks, the HC3 suggests the following actions to improve security measures:

  • Ensure user awareness of new phishing campaigns targeting the healthcare industry through comprehensive training regimes. 
  • Confirm receipts of emails from a known sender through a recognized communication method.
  • Secure VoIP servers and search for proof of existing compromise.
  • Block dangerous domains and other indicators associated with campaigns.
  • Consider switching your organization’s MFA setting to require a one-time password. 

In order to protect against social engineering attacks, the HC3 has advised organizations to:

  • Implement backups with best practices.
  • Implement a structured program for regular software updates. 
  • Require proper credential tracking.
  • Train staff to confirm the validity of all requests.
  • Hold all departments and members of staff accountable for security.
  • Hire a cybersecurity consultant.