Prevent Phishing and Healthcare Ransomware Attacks in Your Non-Acute Facility

November 8, 2022
Login screen on fish hook
Phishing is a type of cybercrime in which a fraudulent email is disguised to look like it’s from a reputable or known company or sender. The email is designed to steal data or compromise an organization’s security. If an employee clicks on the email, it can allow someone to steal passwords or data. The email can also unleash ransomware in the company’s IT system that is often extremely difficult to detect until it’s too late to take action. 
Ransomware is a type of malicious software, or malware, that prevents organizations from accessing their computer files, systems or networks until the organization pays a ransom to regain access to the system. The organization cannot operate critical aspects of the business unless the ransom is paid or the company has a robust recovery plan in place to restore system access and recover the data.

“Because they look authentic, phishing attacks are relatively easy, inexpensive and successful for threat actors,” according to IBM. Plus, it only takes one person to click on a fraudulent email for the entire facility to be infected and the data held for ransom.

The consequences of a malware attack are expensive. The Cost of a Data Breach Report 2021 found average costs for incidents such as:

  • A business email compromise: $5.01 million
  • Phishing: $4.65 million
  • A ransomware breach: $4.62 million

The cost of ransomware attacks is growing. HIPAA Journal reported that the cost of U.S. healthcare ransomware attacks was estimated at $21 billion for 2020, with ransom demands ranging from $300,000 to $1.1 million. In 2019, the estimated cost for all healthcare attacks was $8.46 billion.
However, the actual cost per incident, on average, is hard to determine because the information is not always made public. Some organizations also do not reveal the ransom they paid.
In addition to paying a ransom, facilities also have the cost of downtime in which IT systems are frozen. In turn, the inability to access electronic medical records and patient data can prevent organizations from providing care to patients.
“Ransomware attacks can cause costly disruptions to operations and the loss of critical information and data,” according to the FBI.


Ransomware and phishing attacks against healthcare organizations have increased in both number and sophistication during the pandemic, and that trend is expected to continue. “The rise of email-related breaches in healthcare has been staggering,” noted HealthITSecurity. “In 2012, according to data from the Department of Health and Human Services, just 4% of breaches involved email. In 2020, that number reached 42%.”  
COVID-19 played a role in the spike in phishing. A United Nations chief indicated a 600% rise in “malicious emails” during the pandemic. Other research found that U.S. companies experience phishing more than those in other countries. According to 2020 State of the Phish, 65% of U.S. organizations fell victim to a phishing attack in the previous year. The global average was 55%.
The attacks are particularly devastating to healthcare, and have been for at least the last several years. A 2018 article from HealthITSecurity noted that, “Phishing has become the preferred method for hackers to breach healthcare organizations to steal valuable medical data and/or deploy ransomware.”
The problem continues. The 2021 Cyber security threat trends report from Cisco emphasized that, “Phishing, though an old tactic, continues to be popular due to its simplicity and effectiveness. It targets the weakest link in the security chain: the user.”

“The rise of email-related breaches has further enabled malware to infiltrate healthcare organizations and negatively impact their finances and quality of care. Yet, there are ways to prevent these incidents.”


The rise of email-related breaches has further enabled malware to infiltrate healthcare organizations and negatively impact their finances and quality of care. Yet, there are ways to prevent these incidents. For phishing to be successful, it requires someone in the organization to click on the malicious email. Facilities can train their staff how to identify fraudulent emails and avoid opening them.

According to the State of the Phish report, 78% of organizations say their security awareness training activities resulted in measurably lower phishing susceptibility. Additional solutions include:

  • Blocking phishing websites and IP addresses by levering modern IT security solutions
  • Establishing protocols for identifying and reporting on phishing emails
  • Keeping operating systems, software and apps current, using the latest security methods
  • Updating anti-virus and anti-malware solutions automatically
  • Running regular virus scans to identify malware
  • Backing up data on a regular basis and making it easy to restore

Integrating all of these solutions helps ensure a robust approach to fighting back against phishing scams and malware. Healthcare facilities that want to improve their defenses can work with their group purchasing organization (GPO).

Many GPOs partner with IT suppliers and experts who have proven solutions that identify and prevent ransomware and phishing attacks. A GPO can ensure the most effective protection at the best cost.

Ready to Get Started?

Take the next step to start saving.

Become a Member