The Urgency of Addressing Business Email Compromise in Healthcare

Updated on November 10, 2024

As health systems embrace digital transformation, they also become increasingly vulnerable to cyber threats and the ever-evolving threats brought on by advancements in technology, including AI. AI is helping drive one of the most pervasive and damaging rising threats: Business Email Compromise (BEC). 

BECs are a type of cyber fraud that targets companies engaging in wire transfers and has significant financial implications across the globe. This scam involves cybercriminals impersonating corporate executives or business partners in emails to deceive staff into transferring money or sensitive data to fraudulent accounts. 

Unlike many cyber threats that rely on malware, BECs involve the human element—leveraging social engineering tactics to manipulate individuals into executing unauthorized transactions. The FBI’s Internet Crime Complaint Center (IC3) reports that BEC scams have resulted in more than $50 billion in losses, underscoring the substantial threat they pose to businesses worldwide.

According to VIPRE Security research, BEC cyberattack vectors are seeing a staggering increase of at least 20% in the last year or so. Is healthcare immune? No. Similar to targets of other threat vectors, healthcare is rife with its vast troves of sensitive patient data and critical financial information of both the patient and the health systems, making it an especially appealing target for cybercriminals. But BEC is not just a technical problem—as a threat vector, it can impact operational and financial integrity globally.

The Growing Threat of AI-Powered Attacks

Cybercriminals have traditionally used BEC attacks to deceive employees into making unauthorized payments or divulging confidential information about the organization. These attacks are becoming far more dangerous with the advent of sophisticated AI tools. Increasingly, malicious actors are using AI to generate emails that mimic particular human writing styles, making it nearly impossible for even well-trained employees to distinguish between a legitimate email and a scam. 

Recent trends indicate that as much as 40% of BEC emails are AI-generated, raising the stakes for every healthcare organization.

The Cost of a Breach

Health systems are already dealing with rising operational costs and the need to meet patient care demands. Therefore, BEC attacks can add another layer of financial and security strain, with the potential for huge financial losses for the health system because of fraud, fines, and reputational damage, and can compromise sensitive patient data, violate HIPAA regulations and invite costly legal action to defend against the breach.

According to Abnormal data, the healthcare industry experienced a 167% increase in advanced email attacks in 2023, which includes BEC, credential phishing, malware, and extortion. What makes it particularly dangerous is that it preys on trust because attackers often pose as senior executives or trusted partners, and once inside a system, they can manipulate billing systems, payroll processes, and supply chain operations—an especially chilling scenario in healthcare, where such disruptions can compromise patient care.

BEC tactics are constantly evolving. Our research shows that malicious attachments have doubled year-over-year, while malicious links in emails have surged by 74%. 

BEC Phishing Tactics

Phishing remains the primary vehicle for BEC attacks, with healthcare professionals among the most targeted individuals. Cybercriminals employ increasingly sophisticated techniques to bypass traditional security measures, from front-line staff to C-suite executives. 

They use tactics like URL redirection to cloud-hosting services that appear real but are designed to trick users into providing sensitive information. Health systems are complex, with various stakeholders, from billing departments to administrative staff, needing to communicate frequently (often via email), so phishing attacks are harder to spot and recover from.

Sector-Specific Vulnerabilities in Healthcare

While the healthcare sector is not alone in facing rising BEC threats, it is uniquely vulnerable because of the value of the data it collects and operates within. The combination of sensitive data, the quality of its data, along with the high-pressure environments and, sometimes, outdated or cumbersome IT infrastructures makes it a prime target. Also, as the use of electronic health records and other technology platforms expands, so do the points of vulnerability. Attackers are well aware of the critical nature of these services and the leverage they hold in demanding ransoms or exploiting system flaws.

Though beneficial for patient outcomes, the shift toward more integrated, interoperable systems across hospitals and care providers has also created more opportunities for cyberattacks. Each communication exchanged between healthcare providers, insurance companies, and external vendors is a potential entry point for a BEC attack.

A Call to Action for Healthcare Leaders

As BEC attacks become more sophisticated, healthcare organizations must continue prioritizing cybersecurity and training employees about how to detect such attacks.

Healthcare providers must consider investing in advanced threat detection systems and educating employees about the risks of BEC and the warning signs to watch for.

With attackers’ use of AI increasing, healthcare organizations must match this with AI-driven defenses that can detect and neutralize threats in real-time. At the same time, fostering a culture of vigilance and regular training to help staff become the first line of defense. The stakes are high.

In an era of digital transformation reshaping healthcare, the battle against BEC is one that healthcare security leaders cannot afford to lose. Healthcare’s future depends on a robust, multi-layered approach to email security that evolves as quickly as the threats that seek to undermine it.

Image: ID 124276305 © Everythingpossible | Dreamstime.com

Usman Choudhary
Usman Choudhary
General Manager at VIPRE Security Group

Usman Choudhary is general manager of VIPRE Security Group.