How to Avoid Common Healthcare Phishing Attacks

Despite being one of the oldest and simplest cyberthreats, phishing email attacks pose a high risk to healthcare organizations, costing millions per year. Take steps to protect your data by informing your healthcare staff of the telltale signs of a phishing attack.

Jump to the Content

Phishing is a severe risk for providers.

Phishing, an email social engineering tactic, poses a severe threat to healthcare organizations, historically underinvested in security. According to Becker’s Hospital Review, cyberattacks increased 94 percent over the past year. All healthcare organization members must know what to watch out for in their inboxes to avoid phishing attempts.

Types of Attacks 


The most common form of phishing is mass-produced emails targeting anyone who opens them. Often, they ask for personal information or include malicious attachments. Although the most common form, standard phishing accounted for multiple high-profile healthcare attacks in 2021, according to HealthIT Security.


Spear phishing takes a more targeted approach to the email tactic. Spear phishing emails include more effective personalization due to the hacker paying more attention to the victim’s department. These emails target individuals in an organization like admins.


Whaling is a colloquial term for phishing attacks directed at high-level organizational management like CEOs and CFOs. Usually, they use fear to gather personal information from these individuals. One typical example of whaling is an email alerting potential victims of legal action and prompting them to open an attachment or click a link to learn more.


In 2022, hackers can leverage any of these tactics through text or instant messaging. For example, it is common for them to send phishing attacks posing as a coworker or supervisor, known as Smishing. These messages often ask for payment in non-standard forms, like gift cards.

How to Detect Phishing Emails

The NIST cybersecurity Phish scale details some of the signs of malicious emails. Employees should scrutinize any email from an unknown sender asking for information. Additionally, emails with inconsistent branding, spelling errors, unprofessional formatting, or a generic greeting (“To whom it may concern”) may be a phishing attempt. Other suspicious signs are emails with a ‘too good to be true’ offer, claiming the victim won a contest or free vacation.

Protecting Your Healthcare Organization from Phishing

By encouraging a ‘culture’ of cybersecurity in their organization and making employees aware of cybersecurity risks, healthcare administrators can ensure that their staff is savvy to potential phishing attacks to stop attacks before they begin. For more information about safeguarding your organization’s data, click here for the Medplace cybersecurity toolbox.

Tim Walsh

Tim Walsh

Chief Technology Officer

Tim leads the Medplace technology team and oversees the development of the platform. Over his decade plus of experience, he has served as a jack-of-all-trades developer and held leadership roles at various education and technology ventures.


Learn About Healthcare Early Resolution

Protect patients and reduce friction in the claims process. See how your organization can benefit by downloading the Medplace Early Resolution Toolkit.

View More Related Content