Healthcare staff cell phones under cyberthreat

Cybercriminals have recently begun hacking hospital and health system IT networks through ‘smishing,’ or phishing through text messages sent to employees’ cell phones, the Department of Health and Human Services (HHS) announced last week.  

The Office of Health Sector Cybersecurity Coordination Center (HC3) now considers smishing one of the top cybersecurity threats to healthcare, alongside data breaches, DDoS attacks, and ransomware and malware attacks. Unlike other common forms of healthcare cyberattacks, smishing goes after data found on personal cell phones.  

Understanding Smishing Attacks

Smishing attacks involve seemingly serious messages that lure users to click on links that contain malware or inadvertently send the attacker private data.  

Like email phishing, but via SMS, the messages often appear legitimate, mimicking legitimate organizations or services, and use emotional triggers or urgent scenarios to pressure recipients into responding quickly. 

Why target healthcare employees’ cell phones? One of the reasons is to break an emerging standard of cybersecurity: multi-factor authentication (MFA).  

Multi-factor authentication is a security process that requires users to provide two or more additional forms of identification or verification before they can access a system, application, or digital account.  

A 2019 Google report found that two-step authentication, that just requires one additional form of identification, can prevent 99% of cyberattacks, but as cybercriminal efforts become increasingly sophisticated, that percentage likely has decreased. 

Often, MFA relies on phone-based authenticators, such as push notifications, SMS text messages, software tokens, and authenticator apps, like Google Authenticator. If a cell phone has been compromised through smishing, then a threat actor will be able to access all of these authentication efforts.  

MFA Fatigue

The HHS highlights a simple tactic to push through cybersecurity barriers: MFA fatigue. MFA fatigue occurs when a cybercriminal bombards the victim with so many identity confirmation alerts that they eventually accept.  

Despite the growing vulnerabilities, the HHS still recommends implementing multi-factor authentication to keep data secure. In order to combat threats to personal and organizational data, the HHS recommends organizations and users to:  

• Be wary of urgent text messages.
• Confirm phone numbers. 
• Avoid responding to unknown numbers. 
• Implement anti-virus or anti-malware software. 
• Use multi-factor authentication. 
• Do not click on any link in a text message. 
• Change phone settings to filter unknown senders. 
• Limit the number of authentication requests.
• Discontinue push notifications as a verification method. 

In the face of ever-adapting cybercriminal tactics, the best form of defense is prevention. While smishing casts a shadow over the healthcare landscape, it is possible to protect personal and organizational data and avoid becoming a victim.