Healthcare providers handle large amounts of protected health information (PHI). However, they often lack the resources for advanced defenses. In addition to this, they require continuous access to their systems to provide proper care for patients. Threat actors are aware of this, making the healthcare sector a highly attractive target for cybercriminals.
According to Verizon, the healthcare industry is the most popular industry for hackers due to the wealth of personal data they have. And sure enough, for 12 consecutive years, data breaches in the healthcare industry have remained the costliest.
Social engineering attacks in the healthcare industry can have devastating consequences both for patients and for the organizations that provide their care. One recent example is the Roy/Zeon threat group, which has been targeting healthcare organizations in the United States and Europe
The Zeon group attack: What happened?
The Zeon group is posing as software solutions and targeting the healthcare sector by exploiting trust within the healthcare workforce and capitalizing on security vulnerabilities. Zeon launched targeted attacks around October 19 last year. Even on September 26 last year, there was an alert that the Zeon group was impersonating a Health-ISAC member and was using fake invoices to redirect unsuspecting users to a fake call center they controlled.
The group which emerged after the dissolution of Conti, is using a tactic called “BazarCall spear-phishing”, where victims are duped with fake subscription service offers. These calls are actually used to install malware and steal data. The group then uses legitimate remote access tools and exploit Microsoft Exchange vulnerabilities to gain unauthorized access.
Another tactic used by the Zeon group is known as “spear-phishing”, in which they target specific individuals or organizations with highly personalized and convincing emails. For example, they may send an email to a doctor or a nurse that appears to be from a colleague or supervisor, asking for sensitive information or access to a particular system.
The Zeon group is highly creative in their tactics, using a range of keywords to avoid detection, and specifically targeting the healthcare sector using the names of well-known healthcare and insurance companies.
Once the Zeon group has gained access to a healthcare organization’s network, they can steal sensitive patient information, such as Social Security numbers, insurance information, and medical records. They may also use this access to launch further attacks, such as locking up the organization’s systems with ransomware and demanding payment to restore access.
Other Social Engineering Attacks in the Past
While the Zeon group’s attack has attracted a lot of attention, these are not the only social engineering attacks in the recent past.
The FBI has been alerted to a trend of cyber criminals targeting healthcare payment processors and redirecting victim payments. In these reports, the criminals have used publicly available Personally Identifiable Information (PII) of employees and social engineering tactics to impersonate victims and gain access to files, healthcare portals, payment information, and websites. Some of the major social engineering attacks are summarized below:
In April 2022, a healthcare company with more than 175 medical providers fell victim to a cyber attack in which an unauthorized individual posing as an employee changed Automated Clearing House (ACH) instructions for one of the company’s payment processing vendors, redirecting payments to the attacker’s own account. The attacker was able to successfully steal approximately $840,000 before the company discovered the fraud.
In February 2022, another healthcare company suffered a similar attack in which a cyber criminal obtained credentials and changed the direct deposit banking information for a hospital, resulting in a loss of $3.1 million. A separate incident that same month saw another attacker steal around $700,000 using the same method.
Between June 2018 and January 2019, a group of cyber criminals targeted at least 65 healthcare payment processors throughout the United States, replacing legitimate customer banking and contact information with accounts controlled by the attackers. One victim reported a loss of approximately $1.5 million. The criminals used a combination of publicly available personal information and phishing schemes to gain access to customer accounts.
In 2015, Anthem (previously known as WellPoint) revealed that a phishing email allowed hackers to access its corporate database, resulting in the theft of nearly 79 million records containing patient and employee information. The stolen data included personal details such as names, addresses, Social Security numbers, birth dates, medical IDs, insurance membership numbers, income data, and employment information. This incident remains the biggest cyber attack in the history of the healthcare industry and cost $115 million.
How can HITRUST compliance help?
The HITRUST framework is a comprehensive security and privacy framework designed to protect electronic health information. It helps healthcare organizations prevent data breaches by providing guidance on implementing the appropriate policies and procedures tailored to the organization’s size and activities, and on how to improve them over time.
HITRUST is a single framework that combines multiple regulations and standards, such as HIPAA, HITECH, NIST, ISO, PCI, and COBIT, simplifying compliance efforts and supporting a robust risk management program to safeguard patient privacy and consumer confidentiality. The framework is adaptable, enabling security controls to be updated to keep pace with rapidly changing digital landscape. It also offers alternative controls when needed, and is applicable to both HIPAA-covered entities and their business associates.
While educating users and creating awareness remains one of the major steps in combating social engineering attacks, employing a robust cybersecurity strategy is also important. Even as the healthcare healthcare cybersecurity market is expected to grow, adopting a cybersecurity framework such as HITRUST and ensuring compliance is becoming increasingly relevant. Healthcare organizations that seek cyber insurance can also benefit from demonstrating compliance to HITRUST.
Contact I.S. Partners to get started with HITRUST certification and compliance.