Advisories for Healthcare Institutions to Combat Vishing and Smishing Threats: Key Strategies Revealed
In the digital age, healthcare organizations face a growing threat from vishing and smishing attacks. Last year, the Health Sector Cybersecurity Coordination Center issued an alert regarding an increase in vishing attacks across all sectors, highlighting the urgency for strengthened security measures [1].
To combat these threats, a multi-faceted approach is essential. Here are four key strategies:
1. **Employee Awareness and Training**
Regular, tailored cybersecurity training for all staff is crucial to recognise vishing and smishing tactics. This includes practical examples, simulated phishing exercises, and education on never sharing sensitive information over the phone or SMS [2][3][4].
2. **Technical and Procedural Controls**
Implementing call-blocking technologies and spam filters, voice authentication tools, anti-phishing software, SMS filters, and multi-factor authentication (MFA) are all essential technical defences [2][3][4].
3. **Monitoring and Incident Response**
Network and endpoint monitoring, a clear incident response plan, and prompt reporting of suspicious calls or messages to the IT or security team are vital for timely investigation and mitigation [2][3].
4. **Community and Patient Education**
Extending awareness efforts to patients and community members helps them understand the risks of vishing and smishing and encourages them to verify communications from healthcare providers through official channels [5].
In addition, implementing ongoing awareness programs, staying informed about the latest threats, and collaborating with law enforcement and cybersecurity agencies are also crucial [7][10].
Moreover, implementing zero trust strategies can help mitigate the risks associated with vishing and smishing attacks. Zero trust, a security concept that requires all entities to be verified and authenticated before granting access to resources, can provide enhanced security and privacy for healthcare organizations and their patients [8].
Recent years have seen both vishing and smishing gain traction, posing a significant challenge to the security and privacy of healthcare providers and their patients. In 2020, a large health system warned patients about fake calls that appeared to originate from the provider's phone numbers [6].
Health systems have been warned to watch for attacks that impersonate their organizations and target providers and patients [9]. By reinforcing internal protocols to respond to vishing and smishing, fostering a culture of cybersecurity, and staying vigilant, healthcare organizations can significantly reduce their vulnerability to these attacks and better protect both their operations and the communities they serve [2][3][4][5].
- To bolster the technology defenses against vishing and smishing attacks, it's vital to incorporate call-blocking technologies, spam filters, voice authentication tools, anti-phishing software, and SMS filters into the system, along with implementing multi-factor authentication.
- As technology plays a crucial role in countering vishing and smishing attacks, ongoing employee awareness and training programs are essential to help staff recognize these tactics, emphasizing the importance of not sharing sensitive information over the phone or SMS.
