3 Ways Threat Actors Infect the Healthcare Sector

May 18, 2023 | 4 min read

Omri Rosenzweig

Cyber Threat Intelligence Analyst, DRP

Omri rosenzweig

In recent years, the healthcare sector has been a prime target for threat actors. Healthcare organizations safeguard troves of sensitive data, including patient medical records, personally identifiable information (PII), payment cards, and much more. Security teams in healthcare are often left without the resources needed to form a substantial defense against cyber attacks targeting their organizations. As a result, organizations in the industry have fallen victim to ransomware, phishing, and social engineering attacks, as well as large-scale data breaches.

BlueVoyant monitors cyber threat trends relevant to the healthcare sector. Our cyber threat analysts have identified these three attack vectors as the most common and most effective avenues for attackers carrying out successful attacks.

1. Web Impersonation

Phishing attacks utilizing spoofed domains are a common tactic threat actors use to steal login credentials across many industries, and healthcare is no different. Successful phishing attacks provide threat actors with the information needed to log in to a legitimate account and perform illegal activities, such as data extraction, payment card fraud, and identity theft.

Compromised employee accounts can provide threat actors with access to sensitive and confidential documents, databases, and servers within the company's private network. Phishing websites targeting patients will usually ask for high-value information commonly used by real health care websites for identification, such as full names, mobile numbers, email addresses, social security numbers, and payment card details.

The below screenshots were taken from recently detected active phishing websites targeting different health care providers and medical institutions in the United States. To appear more legitimate, these websites use typo-squatted domain names resembling the official domain, as well as logos, graphics, and texts taken straight from the impersonated website. Unsuspecting users could easily mistake these websites for the official ones, and, without any suspicion, might voluntarily pass their sensitive private information to the hands of the threat actors behind the page.

2. Social Media Impersonation

Social media is an increasingly important medium for organizations, offering them additional opportunities to connect with their clients. Accordingly, cybersecurity threats are constantly increasing on these platforms, as adversaries conduct malicious activities targeting brands and users. Fraudulent social media accounts can spread malicious links and post misinformation to damage brand reputation, send private messages to employees and online users, use advanced social engineering techniques to obtain credentials and private information, convince the victim to download malicious files, and more.

The below screenshots present pages recently detected on Twitter, Facebook, and Instagram impersonating medical institutions. These pages, although seemingly inactive, could become active at any moment and reach out to unsuspecting patients while posing as a legitimate and trusted entity. Less tech-savvy users are especially susceptible to this kind of fraud and are more likely to comply with malicious requests that may be sent from these pages.


3. Fraud Campaigns

The health care sector is heavily targeted by threat actors in the deep and dark web, resulting in attacks, breaches, and leaks occurring on a weekly basis. BlueVoyant's automatic harvesting systems are constantly monitoring thousands of deep and dark web underground communities, scanning for references regarding fraudulent activities aimed at our customers and fraud campaigns involving stolen customer data.

As part of our ongoing monitoring of the deep and dark web, we recently identified a post shared by a threat actor in a popular dark web underground forum, offering to sell data from the auditing system of a large health care firm that they obtained using their credentials as tech support within the company. The threat actor shared specific details about the compromised system, claimed that they have access to other medical firms, and offered to sell the data for 1 Bitcoin - the equivalent of $30,000 US at the time of writing.

Mitigation Recommendations

Digital threats targeting the healthcare sector are on the rise and are constantly evolving. To mitigate potential dangers your brand is facing or may face in the future, we recommend following these precautionary steps:

  • Elevate security awareness of patients and employees regarding the dangers of phishing and social engineering.

  • Consider implementing a patient education strategy, via official social media accounts, that informs them of existing threats and provides security guidelines.

  • Clarify the official channels of communications associated with your brand on social media and establish what information will or will never be asked during communications.

  • Deploy and manage an abuse mailbox, encouraging employees and patients to report any suspicious email they receive.

  • Employ a least-privilege policy by restricting employee access to the bare minimum data and systems required for fulfilling their duties.

  • Proactively monitor for threats targeting your brand such as phishing websites, social media impersonation, fraud campaigns and leaks on the deep and dark web, and so on.

  • Quickly respond to brand impersonation cases and act to shut down any malicious domain, social media entity, and other malicious web pages.

Mitigate threats with Digital Risk Protection