Feds warn about social engineering in cyberattacks on physicians’ practices

HHS agency warns “vishing,” combining scam emails and phone calls, is on the rise.

Phony phone calls paired with bogus emails are part of “vishing” scams that are a rising threat to cybersecurity of physicians’ practices.

Voice phishing, or vishing, is the method “of eliciting information or attempting to influence action via the telephone,” according to the latest analyst note by the Health Sector Cybersecurity Coordination Center (HC3) within the U.S. Department of Health and Human Services (HHS). This month, HC3 also published “The Impact of Social Engineering on Healthcare,” a threat brief that describes how scammers manipulate human psychology for their own gain.

“A social engineer can manipulate staff members into giving access to their computers, routers or Wi-Fi,” to steal protected health information, personal indentifiable information or install malware, the threat brief said.

A growing problem

When part of computer hack attacks, social engineering is problematic in health care because people are naturally trusting, have a desire to help, and want to look intelligent. Workers do not want to get in trouble, but some do take short cuts, the threat brief said.

In large health care organizations, staff members do not always know all their coworkers.

Analysts have said patient data is valuable for bad actors, and health care systems must pay hefty prices to free data and restore computer systems due to attacks. In 2021 and 2022, health care had the largest average cost of a data breach — $10.1 million in 2022 – among the public, energy, technology, pharmaceuticals, and financial sectors, according to HC3.

Phishing and vishing

With phishing, an attacker sends a fraudulent message is designed to trick people into revealing sensitive information, or deploy malicious software such as ransomware into the victim’s computer infrastructure. It was the most common threat to health care organizations, accounting for 45% of security incidents, followed by ransomware at 17%, said the threat brief, citing a health information cybersecurity survey.

In the last year, vishing cyber attacks have increased in all sectors and as a social engineering technique, it has been…