top of page

Is my healthcare organisation vulnerable to a phishing attack?

Nurse uniform graphic
Phishing remains the No1 threat to your organisation

The healthcare sector continues to face an increasing number of cyber threats, any one which can compromise patient data, disrupt critical healthcare services, and cause financial harm to healthcare providers. Whilst the true scale of it remains unclear – due to continued underreporting across all sectors - 2021 stats from a US Cyber company (Herjavec Group) make for stark reading.

• Healthcare provider attacks have more than quadrupled since 2017

• Attacks don’t just steal or encrypt data – they are now targeting internet enabled medical devices (MRI scanners) and interfering with their productivity

• It is highly likely that cyber-attacks have resulted in deaths and serious injury of patients

• 93% of healthcare organisations had suffered a cyber enabled data breach over the past 3 years. Two thirds had had 5 or more.

• Most healthcare providers felt ill-equipped to deal with the threat of cyber-attacks against their organisation

The ways that cybercriminals target organisations are many and varied but phishing attacks often precede any online fraud attack or ransomware incident.

So, what is phishing?

Phishing at its most basic is a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

You might have heard of phishing, vishing, smishing, quishing, spear phishing, whaling, but all the names mean is that there are a lot of different ways that a cyber-criminal is going to try and trick you. Criminals use all communication methods, so if a new method comes out, you can be sure a criminal will be there trying to exploit it. And these criminals are experts in getting us to act in the way they want, whether that is clicking a link or downloading an attachment.

How could my company be targeted?

Criminals use information from all over to create phishing messages. Knowing what information about you and your company can be found by a criminal can be extremely useful in understanding what information could be included within a phish.

For example, would you believe an email as genuine if it contained your username and password in it? Did you know that if your details have been released in a data breach, usernames and passwords are just one thing that could be known, along with your IP address, address, telephone number, in fact, any sensitive information you might give to a company?

If your company has published that you have just signed a new company, called XYZConsultancy, as a client, a criminal could use that information to create a fake domain to trick you into communicating with them.

Many criminals target companies that have not implemented e-mail security policies properly and can spoof e-mail domains of organisation not properly protected. Find out whether your e-mail is protected properly, or whether your supplier and customers are by going using this free tool.

Would you click on a link which talked about new ‘New government standards required for the health sector – find out more here!’

If a message contains any of the following, really think before you click:

Urgency “you must do this now” – here the attacker is trying to induce you to panic so that you don’t question the action being asked of you

Authority – messages appearing to come from a boss, colleague, or company you engage with regularly, or with information they shouldn’t have unless they are genuine (your IP address for example)

Mimicry – attackers send messages that exploit your daily habits such as “please review your calendar entry – click here”

Curiosity – enticing you with something like “breaking news”

Why do cyber criminals do it?

They want access to your systems and money.

Phishing messages are usually designed to get you to click a link or download an attachment. They hope to either steal your login credentials or install malware on your systems, and once they are in your system, stealing your data is likely the next step for them. And after that they may hold you to ransom to get it back, they might just publish it all on the internet or they could simply destroy all your company data without asking for anything. Or they may just wait for an opportunity to take advantage of their position in order to steal money from you, a supplier, or a customer.

What next?

The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of data and permanent loss of reputation. But all is not lost.

Here at the centre, we would recommend that you consider.

1. Join our community for free. You will be supported through implementing the changes you need to help protect your organisation.

ECRC logo
Membership is free and can take you through the key stages of cyber resilience

2. Consider how we can help your own supply chain and customers – it would be great if you could look at promoting the centre on our behalf. Again – contact us to find out more.

3. Pop along to our website to catch up on a range of free tools that could help you protect your business today

Reporting a live cyber-attack 24/7

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.

Reporting a cyber-attack which isn't ongoing.

Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050).


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page