Combating AI-driven social engineering & cyberthreats in healthcare
Cyberthreats in healthcare continue to intensify—not necessarily because attackers have invented new techniques, but because familiar ones have become dramatically more effective. AI is accelerating the speed, realism and scale of phishing, impersonation and other social engineering tactics.
“We’re seeing the continued rise of social engineering as a pathway into a company’s network,” says Philip Ramey, Chief Information Security Officer for HCA Healthcare. “Threat actors leverage the human desire to be helpful and combine that with prior breach data to gain access—sometimes by way of help desks or through phishing compromised business email.”
AI & remote work raise the stakes
Generative AI allows attackers to craft messages that mimic corporate tone, replicate previous internal emails or translate different languages flawlessly, making traditional red flags far less obvious, Ramey shares. We are also seeing criminals use AI to scan for vulnerabilities at high speed, enabling broader and more frequent “visits” to an organization’s digital assets. “The purpose is the same: gain access to a few accounts, move laterally, encrypt systems for ransomware and obtain data for extortion,” he says.
“Stakeholder education is not about ‘calling people out’ but is instead about ‘enhancing workforce resilience.’ We’re reinforcing the many ways a real phish can show up.”
Philip Ramey
Another emerging concern is candidate fraud, fueled by new avenues created through remote work. Attackers and opportunists can impersonate qualified applicants, outsource jobs to unvetted third parties or take on multiple full-time roles across companies. “We’ve seen examples across industries where person A interviews, but person B performs the work,” Ramey says.
Even when the intent isn’t “traditional” hacking, the risks and impact can be significant—unauthorized access, regulatory liability and compromised data handling.
Core elements of a cyberthreat education strategy
- Multichannel simulations (email, voice, text messaging)
- Scenarios that mirror typical internal communications
- Testing internal & external service desks
- Easy reporting pathways for suspicious messages
- Training for all stakeholders—leaders, colleagues, board members
Evolving education to match advancing threats
Attackers often target healthcare workers’ strong sense of mission—a key area for awareness training. “For example, they know HCA Healthcare takes patient care seriously, so they try to tap into that urgency,” says Chad Wasserman, Senior Vice President & Chief Information Officer for HCA Healthcare. “We are educating teams to recognize when emotional or other triggers are being weaponized.”
Gone are the days of suspect emails that contain obvious misspellings and awkward phrasing, Ramey shares. “HCA Healthcare has made it a priority to invest in simulation training that sends team members, stakeholders and colleagues emails that mimic how a corporate leader might write or how a known supplier communicates,” he says.
Wasserman and Ramey suggest that organizations assess their education and training programs on an ongoing basis so they evolve as cybercriminals explore new and advanced tactics. The program at HCA Healthcare has recently expanded beyond email to also include education around voice-based phishing (vishing) and text-based scams (smishing).
Core elements of a cyberthreat education strategy
- Multichannel simulations (email, voice, Short Message Service)
- Scenarios that mirror typical internal communications
- Testing of internal & external service desks
- Easy reporting pathways for suspicious messages
- Training for all stakeholders—leaders, colleagues, board members
Awareness and education need to extend beyond the corporate office and to more than the front-line team. “We ensure our executives and board members also have the training they need, especially if we’re seeing targeted risks,” Wasserman explains. And across the organization, in addition to discussing strengths, “There are candid conversations to identify gaps. Attackers look for weaknesses—being transparent helps us address them,” he adds.
7 Steps to a Strong Cyberthreat Defense
As the time-tested adage alludes, a proactive offense is more effective than reacting once an attack or breach has taken place. HCA Healthcare technology experts Philip Ramey & Chad Wasserman offer the following suggestions for healthcare organizations building & maintaining a strong cyberthreat defense:
- Modernize identity verification. Move away from knowledge‑based authentication that relies on personal data & instead use tools such as secure callbacks, Multi‑Factor Authentication (MFA) or passkeys.
- Expand MFA coverage. Prioritize MFA for privileged accounts, remote access & supplier credentials to limit unauthorized entry points.
- Train & retrain. Provide simulation‑based education that’s ongoing & realistic—covering phishing, vishing & smishing for stakeholders throughout your organization.
- Test & validate internal processes. Conduct tabletop exercises, finance workflow verification drills & help desk simulations to strengthen “pause & verify” behaviors.
- Tighten supplier & outside-party access. Limit permissions, require logins, understand connected dependencies & ensure secure practices across all parties interacting with your systems.
- Prepare for rapid recovery. Maintain secure, immutable backups & test recovery processes regularly to ensure systems can be restored quickly & reliably.
- Regularly engage with peers. Talk to other hospitals & share information. Effectively combating cyberthreats requires all of us working together.
Thinking twice
Attackers rely on urgency to override verification. “If something doesn’t seem right, make sure people know they should validate before acting on it,” Ramey says. “For example, if a C-suite request is unusual, colleagues and leaders need a direct way to confirm it.”
Organizations also need to reconsider using identity verification questions based on personal details. “Oftentimes, attackers already know Social Security numbers, previous addresses, names of siblings and other info they have amassed from data breaches over the years. You need verification processes that don’t rely on information that’s no longer private,” Ramey adds.
Deception takes many forms
Phishing entered the scene around 1995 when AOL email accounts were some of the first to be widely breached. Digital deception has exploded since then, adapting to new services, trends & ways of operating & infiltrating. However, today, the stakes are much higher.
Hackers gain access daily to sensitive data from financial, governmental, healthcare & other institutions. While the list & types of scams are long, here are four that providers need to be aware of…
Source: Cybernut.com
The power of community intelligence
In an industry that is otherwise competitive, when it comes to cybersecurity in healthcare, collaboration is key. “Talk to peer hospitals,” Ramey urges. “Ask what kinds of threats they’re seeing and how they’re responding. We are fortunate that there is a tremendous amount of information sharing in this space.”
Wasserman agrees, stating: “No one is holding back. The goal is a common defense—sharing intelligence, hygiene practices and lessons learned so the entire industry becomes stronger.”
Helpful Resources
- Health‑ISAC | Threat intelligence and community collaboration for healthcare security teams at https://health-isac.org/
- SANS Institute | Free foundational resources and practical security training: Cybersecurity Degree and Certificate Programs | SANS Technology Institute
- Reputable technology media | Highlighting evolving threats and vulnerabilities are outlets such as The Verge (The Verge) and Ars Technica (Ars Technica – Serving the Technologist since 1998. News, reviews, and analysis)
- https://www.sans.org/newsletters/at-risk
- https://www.bleepingcomputer.com/
- https://www.darkreading.com/
- https://www.centerforcybersecuritypolicy.org/
YOUR TURN
Tell us how your organization is guarding the perimeter and combatting cyberthreats by emailing thesource@healthtrustpg.com or posting to the HealthTrust Huddle.
