Security

3 Tips for Healthcare Organizations to Guard Against Vishing and Smishing

Providers need to be vigilant about protecting themselves and patients against different forms of phishing.

Mike Chapple is associate teaching professor of IT, analytics and operations at the University of Notre Dame.

While clinicians, staff members and patients have been conditioned to be skeptical of unusual messages that land in email inboxes, suspicious calls and texts present another vulnerability.

People often avoid unknown numbers trying to contact them, but it only takes one unwitting victim to undermine the security of an entire organization. Health systems now find themselves on the receiving end of these phone attacks, which are similar to phishing.

Vishing, or voice phishing, involves the use of fraudulent phone numbers, voice-altering software and social engineering tactics to trick a person into divulging sensitive information over a phone call. Smishing leverages SMS to deceive and manipulate victims using text messages. Both tactics have gained traction in recent years, posing a significant challenge to the security and privacy of healthcare providers and their patients.

The Health Sector Cybersecurity Coordination Center, a program of the Department of Health and Human Services, sent an alert last year that detailed an increase in vishing attacks across all sectors, and warned health systems to watch for attacks that impersonate their organizations and target providers and patients. A notable example occurred in 2020 when a large health system warned patients about fake calls that appeared to originate from the provider’s phone numbers.

Here are three ways healthcare organizations can protect themselves and their communities against vishing and smishing:

Click the banner below to explore zero trust and its benefits for healthcare.

1. Educate Healthcare Staff to Recognize Vishing and Smishing

Knowledge is the cybersecurity team’s most important tool when it’s used to empower healthcare staff with the skills to recognize and respond to vishing and smishing attempts. Regular training sessions should educate employees about common tactics attackers use, such as social engineering techniques and voice-altering technologies. Emphasize the importance of verifying caller identities, refraining from sharing sensitive information over the phone or via text, and promptly reporting suspicious communications. Cultivate a culture of vigilance and ongoing awareness among all staff members.

2. Communicate Vishing and Smishing Risks to Patients

In addition to training staff, providers should also educate patients about the risks of vishing and smishing. Develop materials that clearly outline the dangers and warning signs of these attacks, and encourage patients to exercise caution when receiving unsolicited calls or texts requesting personal or financial information. Make it clear to them that legitimate healthcare providers will never ask for sensitive data over the phone or through texts. Provide patients with appropriate channels to report any suspicious communications that they receive.

3. Improve Cybersecurity Controls to Mitigate Vishing and Smishing

Enhanced cybersecurity controls are critical for mitigating vishing and smishing risks. Implement robust multifactor authentication to strengthen access controls for sensitive systems and data. Regularly update and patch software and systems to address vulnerabilities that attackers may exploit. Deploy email and web-filtering solutions to detect and block phishing attempts, including malicious links and attachments. Consider adopting voice recognition or caller authentication technologies to verify the legitimacy of incoming calls.

UP NEXT: Learn how to avoid becoming the bait of a phishing email.

Beth Goody/Theispot