By Gina Shaw
The Department of Health and Human Services is warning of the dangers of so-called “smishing” attacks, one of the latest ways that cyber intruders are getting into the information technology (IT) networks of hospitals and health systems. Fortunately, experts said, there are proactive steps that health systems can take to prepare employees and patients for these threats.
In a report released Aug. 10, HHS explained that smishing is a form of phishing (the by-now familiar practice of sending fraudulent emails in an attempt to steal personal information); in this case, the attacker “uses a compelling text message to trick targeted recipients into clicking a link, which sends the attacker private information or downloads malicious programs to a smartphone,” the report explained. (The term comes from combining SMS [Short Message Service], which refers generally to text messaging, with “phishing.”)
If you’ve ever received a text message telling you that a UPS package could not be delivered, or warning you that you’re in trouble with the IRS, and urgently requesting that you click the link embedded in the message, then you’ve been a target of attempted smishing. And if you think you’ve seen more of these messages lately, you’re not alone.
“There has been a significant rise in these kinds of messages,” said Ian McShane, the vice president of strategy for the cybersecurity firm Arctic Wolf. “They are preying on the same typical social engineering tactics that are used in email phishing: a sense of urgency or of missing out on something important, influencing the person to click on that link without thinking about it.
“It used to be hard to spoof SMS messages or phone numbers, so that texts and calls were more clearly valid ways of making contact with people,” he continued. “But now, consumers are even being duped by criminals who’ve been able to spoof the phone number of their bank and asked them to provide them with their bank card number.”
These attacks are increasingly costly. A 2023 IBM report estimated that the cost of a data breach in healthcare increased from $10.10 million in 2022 to $10.93 million in 2023, the HHS document noted. “With an 8.2 percent increase, the health sector reported the highest costs for the 13th consecutive year,” the report stated.
Erich Kron, a security awareness advocate at KnowBe4, which offers cybersecurity awareness training, and the former security manager for the U.S. Army’s 2nd Regional Cyber Center (Western Hemisphere), worries that artificial intelligence will become increasingly able to parse information obtained through data breaches and develop even more realistic smishing attacks. “Imagine that one of your patients gets a text message saying, ‘This is X Hospital pharmacy, and there is a problem with the prescription for this specific drug you filled two months ago. Please click on this link to fix it,’” he said. “If these criminals can incorporate information that we think is private into smishing messages, they’re going to be really effective.”
How can you recognize a smishing text message? Instead of trying to figure out whether a text asking you to click on a link is legitimate or not, take no chances, Mr. McShane advised: “Never click on a link embedded in a text. If the text says it’s from UPS with information about a package, call UPS and ask about it. If they claim to be your bank, call your bank.” And never use the phone numbers provided by the text message, he added. “Look up the number for UPS or your bank and call that number.”
A related cybersecurity threat, also part of the HHS warning, is attacks on multifactor authentication (MFA). Instead of just a username and password, MFA requires a combination of at least two factors to verify your identity: something you know, such as a password; something you have, such as a phone that can receive a login code; and/or something you are, such as a facial scan or fingerprint. It’s a valuable method of protection, but malicious actors have found ways to use it for their own purposes.
“MFA notification fatigue” attacks involve “a threat actor bombarding an account owner incessantly with MFA push notifications until the target slips up, or is simply worn down psychologically from numerous notifications and approves the login request,” the HHS report explained. “Once an MFA request is approved, the cyber threat actor will be able to gain unauthorized entry to the user’s account and use this access to their advantage.”
Be Proactive
What can hospitals and health systems do to help their employees and patients be more wary of these cyber threats? First, said Mr. McShane, “make it clear that they will not be asked to click on links in a text to do business-related tasks.” This will put employees in a better position to identify suspicious messages.
“How we communicate in these media is very important—both what is included and what is not,” Mr. Kron agreed. “Instead of sending a text asking patients or employees to click on a link, better messaging would be to ask them to go to their computer and log into their secure intranet account, or use their pharmacy portal app.” When health systems start sending out messages that don’t adhere to best cybersecurity practices, he said, “we are training people to fall for those bad habits more often.”
Next, build collaboration in the face of cyber threats. “Make sure your employees know that they should tell the security or IT department when they see something suspicious in an email or a text, rather than just ignoring and deleting it,” he said.
Finally, take a holistic approach to cybersecurity. “Organizations are focused on the business risk, the threat to their bottom line, but there would be a lot more engagement and understanding if there were a holistic view of what cybersecurity means to the individual,” Mr. Kron said.
“Help them understand why it’s better to use unique credentials and password managers for the things they use in their own lives. That increased security posture will benefit your business as well. What affects humans at home affects humans at work, too.”
Mr. McShane said an increasing number of organizations are providing employees with access to a verified, paid password management solution that they can use at home as well as at work. “When they get used to taking those protective steps with their personal electronic interactions, it translates well into improving your business security.”
The sources reported no relevant financial disclosures.
