The healthcare sector gathers and stores highly sensitive patient treatment plans and billing data. There is also a lot of money in this industry, making it the perfect target for cyber attacks. The last decade or so has not been very good for the sector, considering the number of cyberattacks directed towards it and the high success rate of such attacks. Over time, the healthcare sector has developed strict cybersecurity standards to prevent traditional malware, brute force, and other types of direct attacks. To circumvent these preventative measures from direct attacks, cybercriminals opt for indirect strategies. One of the most effective cyberattacks on healthcare institutions is the Business Email Compromise (BEC).
How does a BEC work?
BEC attacks have other aliases they go by. Some call them Employee Account Compromise, Bogus Invoice Scheme, and CEO Fraud. The core element of BEC attacks is social engineering carried out by meticulous reconnaissance and surgical infiltration. By conducting reconnaissance, cybercriminals identify the weakest links in an organization that can be targeted successfully.
Subsequently, they can engineer an attack designed specifically for that one person. For employees working in the billing department, cybercriminals can impersonate someone from a position of oversight with specific instructions. In this case, they can request the billing department employee to clear a fraudulent invoice.
Those funds will then be directly deposited into the cybercriminal’s designated account. A domain very similar to the company’s name is used to make the email seem convincing and legitimate. The instructions given to the social engineering attack victim will depend on the objectives and reconnaissance conducted by those cybercriminals.
Objectives of phishing in healthcare
The main objective of phishing/BEC attacks in healthcare is getting access to sensitive data, money, or prescription drugs. One BEC attack was foiled when an employee picked out the error. Cybercriminals made an order impersonating a healthcare institution with all the pertinent details.
Those details included pharmaceutical certificates, the DEA ID number, and doctor licenses. The order was prescription drugs worth over $500,000, and everything seemed to check out except for one aspect. Unlike regular orders made to this pharmaceutical company, this particular order had a different delivery address. That raised a red flag, and an employee from the pharmaceutical company called to confirm, only to find out the entire order was fraudulent.
This failed BEC attack shows that the healthcare industry is a prime target due to prescription drugs and money. Healthcare institutions that hire digital marketing agencies should verify each invoice they pay since third-party service providers could also be used in a BEC attack.
Consequences of successful BEC
A successful social engineering attack has significant consequences depending on the cyberattack’s objectives. In the attack detailed above, there were significant consequences that could have ensued. Consider the effects of prescription drugs of that value being sold in an uncontrolled manner.
Drug dealers dealing in prescription drugs like opioids could have gained easy access to the product. By extension, there might have been more overdoses due to this one social engineering attack. Not to mention the loss that could have been incurred by the hospital. $500,000 would have been paid for a bogus order since the pharmaceutical company would have invoiced the hospital.
Healthcare officials might have also probed an audit and investigation of the hospital. These efforts requiring a budget would have emanated from just one cyber attack. Alternatively, if an employee was impersonated as part of a social engineering attack, their credibility could be under question for some time.
Possible attack angles
Healthcare institutions have multiple attack angles for a social engineering Business Email Compromise. Most healthcare institutions or facilities have a variety of departments interacting with each other. That could be one of the angles used by cybercriminals implementing BEC to gain access to sensitive information. Cybercriminals could directly ask for certain files or request access to a file with sensitive information.
Unwitting healthcare staff could think it is a colleague asking for access and subsequently give cybercriminals privileged information. Another possible BEC attack angle would be a fraudulent payment request for a bogus goods purchase. There are various attack angles that social engineering cyber criminals brainstorm and implement on healthcare institutions.
Each attack is designed on insights gathered from the reconnaissance conducted and vulnerabilities detected. Being aware of the vulnerabilities healthcare institutions have can shed some light on possible attack angles that could be exploited in a Business Email Compromise.
Healthcare institution vulnerabilities
Large organizations generally have more social engineering vulnerabilities than smaller ones. Smaller organizations have a close-knit staff, and impersonating anyone working in that environment is challenging. On the other hand, large organizations might have people who have never met each other in person.
Healthcare institutions like hospital chains are more prone to social engineering attacks. It is easier to write an impersonated email to people that do not know each other personally. Also, the number of people in contact with large organizations makes it hard to keep track of communication.
There are hundreds if not thousands of emails being sent to and from a healthcare institution each day. Those emails are from patients, doctors, suppliers, and third-party service providers. It is much easier for healthcare staff to blindly follow instructions, especially if the email seems to come from someone in a position of power.
Preventing BEC attacks
Training employees on verifying emails by checking the domain name and links before clicking on them goes a long way to prevent BEC attacks. However, the sad truth is that you can’t solely rely on employees in this matter. Responsible healthcare institution executives should touch base with CTOs to ascertain the measures employed to prevent BEC attacks.
There are highly advanced technologies that use Machine Learning algorithms to weed out BEC attacks. The tools scan every information on each email coming through to organizational servers.
Reliable tools scan the domain and IP address where that email is originating from while scanning any embedded URLs. Additionally, all file attachments are scanned for any malware making these BEC prevention tools comprehensive by preventing other types of attacks.
