Social engineering has become a larger threat to the healthcare industry in recent years. So much so that the Federal Bureau of Investigation (FBI) has taken note. In a 2022 report they state that they have “received multiple reports of cyber criminals increasingly targeting healthcare payment processors to redirect victim payments.” In one case, $3.1 million was redirected from victims’ payments. Clearly, we need to take notice of how social engineering attacks are targeting our vital healthcare systems. So, what exactly is social engineering? How does it affect healthcare? Why should we be concerned? Let’s dive into each of these questions in today’s newsletter.

What is Social Engineering?

We define social engineering as “Any act that influences a person to take an action that may or may not be in their best interest.” Like many things, social engineering is something that can be used for good or bad. Unfortunately, we see many malicious actors taking advantage of social engineering techniques via SMiShing, Phishing, Vishing, and Impersonation attacks. According to Carahsoft’s 2021 HIMSS Healthcare Cybersecurity Survey, phishing attacks were the most common threat to healthcare systems, accounting for 45% of security incidents.

Why is the Healthcare Industry at Risk?

As we saw at the start of this article, the payoff for malicious attackers is potentially huge. There is a plethora of personal information available to successful malicious attackers, including (but not limited to) credit card information and social security numbers. This is one of the reasons why the healthcare industry is at such a high risk for social engineering attacks. According to the Office of Information Security, the following 5 reasons are why healthcare workers are at risk:

People are naturally trusting
People have a desire to help
Some people take short cuts
People do not want to get in trouble
People want to look intelligent

Interestingly, some of those facts are admirable traits. Malicious attackers are not above leveraging these traits to their advantage. This is especially true during times of crisis, such as with the COVID-19 pandemic. Reports say there was a 6000% increase in phishing attacks during this time, with healthcare establishments often being the target.

How Can the Healthcare Industry Become More Secure?

There are many things that the healthcare industry can do to become more secure. Enabling and enforcing multifactor authentication on all logins and implementing anti-virus and anti-malware services are all great places to start. However, arguably the most important step that healthcare facilities can take is to ensure that their employees are properly trained. The FBI recommends that these businesses “implement training for employees on how to identify and report phishing, social engineering, and spoofing attempts.”

Engaging social engineering training is a must. Having simulated social engineering tests is the best way to get your employees used to the various tactics that malicious social engineers may use. It is important to keep this training positive and ethical. For example, when we train people in phishing at Social-Engineer, we will usually test the employee. Then if they clicked a link, we let them know it was a phishing test. We will then point out where the signs of phishing were and how to properly report suspected phishing emails in their organization. Testing in this way is vitally important. You want your employees to feel secure reporting any potential threats to your company. With our healthcare systems increasingly under attack, we need to work together to increase security measures.

For a detailed list of our services and how we can work with you to achieve your cybersecurity goals please visit:

Written by Shelby Dacko


This entry was posted in Uncategorized and tagged .

One thought on “Social Engineering and Healthcare

Leave a Reply

Your email address will not be published. Required fields are marked *