COMMENTARY: There’s no denying that we need a strong and secure healthcare sector in the United States — the industry saves countless lives, creates millions of jobs, and has become a leading contributor to economic growth. And because of this, it’s also one of the most popular targets for sophisticated social engineering email attacks.
While security leaders have made considerable efforts to strengthen their defenses and educate employees on best practices, email attacks on healthcare organizations have continued to climb. With a new crop of highly targeted and hard-to-detect email attacks making the rounds, it will take more than legacy solutions and employee awareness to protect healthcare systems.
Why attackers target healthcare
Disrupting healthcare’s essential services can have disastrous consequences, and cybercriminals know desperate organizations will pay a hefty ransom to halt an active attack. But that’s not the only reason hackers zero-in on healthcare.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Another big driver: the tremendous amount of sensitive information housed by healthcare institutions. These vast collections of patient data, financial details, and medical records are a veritable treasure trove for cybercriminals. According to one cybersecurity researcher, medical data can be sold on the dark web for up to 20 times more than credit card numbers — making it a highly lucrative steal.
Second, although healthcare organizations are highly regulated, those regulations don’t always translate into stronger security efforts. In fact, compliance requirements can sometimes cause healthcare organizations to keep using outdated security systems and procedures, inadvertently making them more vulnerable to sophisticated attacks.
And that’s not accounting for the fact that healthcare’s relatively high turnover rates and complex supply chains also work in cybercriminals’ favor. Because newer employees may not know service providers or coworkers well, it’s easier to imitate these contacts through social engineering schemes. On the flip side, threat actors bank on longer-term employees feeling overly comfortable in their relationships with vendors or colleagues and more willing to take actions they usually avoid — like sharing sensitive data via email.
The leading threat facing healthcare today
As with most industries, security leaders in healthcare have increasingly invested in workforce security awareness and education over the past several years, helping strengthen the staff’s ability to spot and report potential threats. Unfortunately, cybercriminals are a step ahead. While users should always be wary of misspellings, poor grammar, and too-good-to-be-true offers from senders, new advanced email attacks are much harder to spot.
Thanks to a proliferation of generative AI tools like ChatGPT, threat actors can quickly generate polished and professional emails that effectively mimic a target’s trusted contacts — like a peer, manager, or vendor. So it’s no surprise that healthcare vendor email compromise (VEC) and business email compromise (BEC) attacks have risen over the past year, with VEC attacks increasing by 60% between since August 2023.
As with all social engineering attacks, both BEC and VEC involve impersonating a trusted party. In a BEC attack, cybercriminals pose as colleagues, supervisors, or high-ranking executives, while in a VEC attack, a cybercriminal typically impersonates a supplier, distributor, or service provider. Armed with meticulous research on their targets and the individual they’re impersonating, threat actors exploit these relationships, deceiving well-meaning employees into processing a fraudulent invoice, sharing sensitive information, or inadvertently providing their access credentials.
And because attackers can increasingly gain access to a vendor’s email account and take over an existing thread, their targets have no reason to suspect malicious intent. This method also makes it easy to bypass traditional email security tools, which rely on common signals like spoofed domains or suspicious attachments to block threats. Because of the inability of legacy tools to detect attacks sent from compromised accounts, these seemingly innocuous, text-only emails often slip through with ease.
How healthcare organizations can mitigate email attacks
Cybercriminals know that healthcare institutions rely on email to facilitate communication among healthcare teams, with vendors, and between patients and providers. With help from generative AI, they’re exploiting healthcare workers’ dependence on this channel and waging hundreds of highly strategic social engineering attacks on each organization every single month.
With no malicious content to trigger legacy security tools and no telltale signs to pique the suspicion of employees, traditional methods of defense are no longer enough to protect the healthcare industry from advanced email attacks. Fortunately, by staying knowledgeable about new tactics and layering in more advanced AI-powered threat detection, security leaders can help neutralize threats before they even have a chance to reach user inboxes.
With 2025 right around the corner, BEC and VEC attacks are guaranteed to continue and will likely become even more challenging to identify in the new year as threat actors refine their approach. By taking the necessary steps to prepare, healthcare organizations can reduce the risk of becoming next year’s statistic.
Mike Britton, chief information security officer, Abnormal Security
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.