As cyberattacks on U.S. hospitals and health systems proliferate, a technique called “smishing” has become an increasingly popular tool for hackers trying to sneak around information technology (IT) protections.
Smishing is a variant of phishing (the by now familiar practice of sending fraudulent emails to steal personal information). In this case, the attacker “uses a compelling text message to trick targeted recipients into clicking a link, which sends the attacker private information or downloads malicious programs to a smartphone,” the Department of Health and Human Services (HHS) explained in an August 2023 report.1 (The term comes from combining SMS, which refers generally to text messaging, with “phishing.”)
If you have ever received a text message insisting that a UPS package could not be delivered, or warning you that you’re in trouble with the IRS and urgently requesting that you click the embedded link, then you’ve been a target of attempted smishing. And if you think you’ve seen more of these messages lately, you’re not alone.
“There has been a significant rise in these kinds of messages,” said Ian McShane, the vice president of strategy for the cybersecurity firm Arctic Wolf. “They are preying on the same typical social engineering tactics that are used in email phishing: a sense of urgency or of missing out on something important, influencing the person to click on that link without thinking about it.” In the past, the difficulty of spoofing SMS messages and phone numbers meant that texts and calls were more clearly valid ways of contacting people, he continued. “But now, consumers are even being duped by criminals who’ve been able to spoof the phone number of their bank and asked them to provide them with their bank card number.”
Smishing is the text equivalent of the well-known “Nigerian prince scam” emails, with the added twist that text tends to be a “more trusted environment” than email, said Anthony Blash, PharmD, an associate professor of healthcare informatics and analytics at Belmont University College of Pharmacy, in Nashville, Tenn. “It’s very easy for someone to spoof text headers, become ‘Beth Israel Medical Center,’ and present them to the patient in that manner,” he said. As a patient, “your trust barriers are down, and you get an alarming message saying that there’s a problem with your billing, or your test results have come back and it’s something disturbing, so ‘click here to access your portal.’ Even when you click through, there may be a deceptively similar mirrored version of the hospital system’s portal.”
Healthcare a ‘Target-Rich’ Environment
Smishing and other such attacks are increasingly costly. IBM’s 2023 Cost of A Data Breach Report found that the average financial toll of a data breach in healthcare rose from $10.10 million in 2022 to $10.93 million in 2023, causing the health sector to report the highest costs for the 13th consecutive year.2
Healthcare is a target-rich environment for hackers, according to Dr. Blash. “Put on your hacker hat for a minute. If you’re trying to break into an institution, finance would be an obvious target,” he said. “But the type of security settings you’ll find in a Citibank or Chase are extremely strict, making them harder to access.” Meanwhile, he continued, a healthcare target gives hackers the opportunity to pull a victim’s name, date of birth and Social Security number and use that information for fraud, as well as protected health information that can be turned against the person and used for blackmail. Telehealth and the ability of prescribers to access patient records remotely give hackers a potential route into the healthcare system, which generally has poorer security protocols than the finance industry. “A bank’s main job is to protect money, but a hospital’s main job is to take care of patients,” Dr. Blash said. “A small 25-bed hospital in Walla Walla, Washington, does not have the money to take the security posture that Citibank can.”
A related cybersecurity threat, also part of the HHS warning, is attacks on multi-factor authentication (MFA). Instead of just a username and password, MFA requires a combination of at least two factors to verify your identity—something you know, such as a password; something you have, such as a phone that can receive a login code; and/or something from your body that can be verified, such as a facial scan or fingerprint. It’s a valuable method of cyber protection, but malicious actors have found ways to use it for their own purposes. “Once an MFA request is approved, the cyberthreat actor will be able to gain unauthorized entry to the user’s account and use this access to their advantage.”
Foil Smishing Expeditions
What can hospitals and health systems do to help their employees and patients be more wary of these cyberthreats?
Teach them to say no to links. “Make it clear that they will not be asked to click on links in a text to do business-related tasks,” Mr. McShane said. This puts would-be targets in a better position to identify when a text is suspicious. Patients and employees should also be regularly warned that they will never be asked to give out their account passwords and personal or financial information via text or telephone by anyone representing the health system.
Build a reporting culture. Guide employees and patients to report smishing attempts and other suspicious messages that they receive, instead of just deleting them. “We train our end users to be fastidious about reporting these messages when they see them,” said David Aguero, PharmD, the director of medication systems and informatics at St. Jude Children’s Research Hospital, in Memphis, Tenn. “The faster we can get our IT team onto a new attempt at a breach, the faster they can respond.”
Health systems should remain vigilant, expecting that hackers’ techniques and persistence will continue to test their protections. “In terms of what is needed to exploit a vulnerability,” he said, “strategies for cyberattacks continue to evolve in ways that surprise me.”
References
- Multi-Factor Authentication & Smishing. August 10, 2023. Accessed July 16, 2024. bit.ly/3LrdJgA
- Cost of a Data Breach Report 2023. Accessed July 16, 2024. ibm.co/4cIhgmC
This article is from the September 2024 print issue.