How to Prevent Social Engineering Attacks in Healthcare

In 2024, more than 40% of cyber insurance claims were denied, with many rejections stemming from inadequate defenses against social engineering attacks.  Insurance carriers are getting pickier about what they’ll cover and digging into the fine print before they pay out, especially when breaches trace back to someone clicking the wrong thing.

If you’re growing across multiple locations, you’re facing a tough question: How do you actually protect your practice against social engineering while keeping your insurance coverage intact?

The human element dominates healthcare breaches

According to the 2024 Verizon Data Breach Investigations Report, 68% of breaches involve the non-malicious human element: people making mistakes or falling victim to social engineering attacks. In healthcare specifically, 70% of data breaches were traced to internal actors, with miscellaneous errors being the leading cause.

Healthcare workers get targeted because of what makes them good at their jobs: they want to help people. Jeffery Daigrepont from Coker Group puts it perfectly: “What front desk person doesn’t want to be helpful? They don’t want to get yelled at for not getting the insurance.” That instinct to be nice and solve problems? Attackers know exactly how to exploit it.

The numbers are rough. The Department of Health and Human Services Office for Civil Rights reported 725 large healthcare data breaches in 2024, affecting more than 275 million records. That’s 82% of the US population. This is the third straight year with over 700 major breaches.

If you’re expanding to new locations, here’s the problem: every new site gives attackers more ways in, while your training and security controls can barely keep up with where you already are.

What social engineering actually looks like in your practice

Social engineering attacks go way beyond simple phishing emails. Attackers study your organization. They pull names from LinkedIn, your staff directory, and website bios to build attacks that exploit exactly how your team works and what pressures they face every day.

Here’s what your team is up against:

Business email compromise (BEC): Fake emails from your “CEO” or “CFO” asking for urgent wire transfers or payment changes. These attacks make up over 40% of successful social engineering incidents, according to the 2024 Verizon DBIR. Unlike ransomware that makes headlines, BEC attacks rarely go public. You have to disclose when patient data gets breached, but not when someone steals money.

“IT support” impersonation: Calls or emails claiming they need remote access or credentials to “fix an urgent issue.” These attacks work because your team wants to keep systems running and avoid downtime.

Fake patients: Jeffery describes a troubling scenario: attackers walk in pretending to be patients who forgot their insurance card, then ask front desk staff to log into a web portal to download their insurance info. Your front desk staff are trained to be helpful and avoid complaints, which makes them perfect targets.

Invoice manipulation: Fraudulent payment requests or altered banking details sent to your accounts payable team across multiple locations, made to look like they’re from real vendors.

The emotional manipulation: These might be the worst. Attackers mine personal information from social media and use it against your staff. Jeffery shares an example where attackers monitored Facebook posts about a family member’s health crisis, then sent donation requests with the sister’s name and all the right details. Even careful people click when it hits that close to home.

Here’s how it usually plays out:

1. Research phase: Attackers gather intel from LinkedIn, your staff directory, and anything public they can find
2. Get a foothold: They try stolen passwords or send targeted phishing emails to get in
3. Beat MFA: They spam push notifications until someone gets annoyed and approves just to make it stop (MFA fatigue)
4. Walk right in: They log in with stolen credentials, looks completely legitimate, so there’s no technical breach to detect

Why growing practices get targeted

If you’re expanding, you’re dealing with a perfect storm. Every new location increases your public footprint. More staff profiles, provider bios, and operational details, all material attackers use to build convincing attacks. Meanwhile, your security and training can’t keep up across all your sites.

The financial stakes are huge: Protected health information sells for $250 to $1,000 per record on the dark web. Credit cards? Only $5. PHI is permanent, Social Security numbers, diagnoses, insurance details don’t change. That means long-term fraud potential, not just one-time transactions. For attackers, healthcare data is worth the extra effort.

The 2024 Change Healthcare breach stands as the largest healthcare data breach in history, affecting 190 million people and costing UnitedHealth Group $2.87 billion. How did it happen? Attackers used stolen credentials to access a system that didn’t have multifactor authentication. A basic gap, a billion-dollar problem.

What else puts growing practices at risk:

Training that doesn’t match across sites: When you’re growing fast, some locations get solid security training while others get almost nothing. Attackers look for these gaps and exploit them.

Too many vendors: EHR systems, clearinghouses, imaging providers, billing services, practice management platforms. Every connection is another way in. The bigger you get, the more vendor vulnerabilities you have.

High-pressure environment: Your staff feels pressure to be helpful and responsive, exactly what social engineering attacks exploit. As the webinar makes clear, being nice and helpful creates vulnerability.

Shared devices everywhere: Front desk computers passed between shifts, personal phones accessing work systems, tablets moving between exam rooms. More ways in, less visibility into what’s happening.

The cyber insurance reality: Coverage doesn’t equal covered

Insurance requirements have changed completely. As Jeffery notes in the webinar, cyber insurance carriers work just like Aetna, Blue Cross, or Cigna. They have rules. If you don’t follow those rules exactly, they’ll deny your claim. Simple as that.

This isn’t hypothetical. The City of Hamilton, Ontario faced an $18.3 million recovery bill when their insurer denied their ransomware claim because multifactor authentication hadn’t been fully implemented. In the Travelers Property Casualty Company v. International Control Services case, the insurer denied the claim and cancelled the entire policy because the organization lied about having MFA when they applied.

Why insurers deny claims:

You’re missing required controls: Insurers require specific security measures before they’ll pay. Usually this means:

• Multifactor authentication (the phishing-resistant kind, or number-matching MFA)
• Regular staff training with documentation showing who completed it
• 24/7 monitoring and alerts
• An incident response plan you’ve actually tested
• Recent security risk assessments
• Proof you actually did these things (policies sitting in a drawer don’t count)

Employee negligence: If a breach happened because your staff wasn’t trained well enough or didn’t follow procedures, insurers can deny coverage. The human mistakes that cause most breaches? Those are also the reason insurers won’t pay.

You didn’t follow your own policies: Having a risk assessment policy doesn’t matter if you can’t prove you actually ran assessments or fixed what you found. Missing documentation kills claims.

You lied on the application: If insurers find out you didn’t actually have the security controls you claimed when you applied, they can deny your claim or cancel your entire policy. Multiple legal cases prove this.

Our experts highlight it perfecty in our webinar: insurers have lawyers who make it clear they’re not writing checks unless they absolutely have to. Just like prior auth denials in revenue cycle management, insurers pick apart every detail before approving large payouts.

Quick wins: What your team can do this quarter

You need controls that work the same way across all your locations and keep insurers happy. Here’s what to do in the next 90 days, focused on high-impact moves you can actually pull off:

Weeks 1-3: Lock down authentication

Turn on phishing-resistant MFA right now for your high-risk people: system admins, finance staff, anyone who touches banking or payment systems, and third-party billing personnel. Remember Change Healthcare? $2.87 billion in damages because one system didn’t have MFA.

Turn on number-matching for all your MFA push notifications. Those simple approve/deny prompts train people to click “approve” without thinking. Number-matching makes them actually look at a number and match it—forces them to pay attention.

Shut off old authentication protocols that bypass MFA completely. Attackers know these old backdoors exist in healthcare and use them constantly.

Set up policies that flag weird logins: unfamiliar locations, non-compliant devices, or unusual patterns. Make these require extra verification instead of blocking access completely. You need security that doesn’t break clinical workflow.

We help healthcare organizations set up these authentication controls without disrupting clinical operations. Learn more about our approach to enhanced network and data security for healthcare.

Weeks 2-4: Eliminate password reuse

Set up single sign-on (SSO) for your top 10 apps. Cuts down password fatigue and improves security. The Verizon DBIR shows stolen credentials showed up in 38% of breaches in 2024.

Add a password manager for apps that can’t use SSO. Your staff should never reuse personal passwords for work. One compromised personal account gives attackers a way into your entire network.

Turn on breached password blocking so staff can’t use passwords that are already out there from old breaches. Microsoft and other providers have this built in.

Weeks 2-5: Stop business email compromise

Add a “Report Suspicious” button to your email for one-click reporting. The webinar emphasizes that even tech-savvy people fall for good attacks. Make reporting easy and celebrate it, builds a culture where people actually flag sketchy emails.

Set DMARC to rejection level to stop email spoofing. This keeps attackers from sending emails that look like they’re from your domain.

Require out-of-band verification for all payment changes or banking updates. Never approve financial changes via email alone. Always verify through a known phone number or separate communication channel. This simple rule stops most BEC attacks.

Set up alerts for suspicious inbox forwarding rules and OAuth grants. Attackers create these after they get in so they can keep access and steal data.

Weeks 3-6: Secure devices and access points

Set minimum device requirements: screen locks, encryption, and current operating systems. Shared front desk computers need unique logins that auto-lock after a few minutes.

Add lightweight mobile device management (MDM) for phones and tablets that access work data. You don’t need complete device control. Just basic security standards.

Review who has access every quarter. Remove “all staff” permissions and shut off accounts for people who left. When you’re growing, people pile up permissions across roles and locations without anyone checking if they actually need all that access.

Multi-location practices managing tech support across health systems can benefit from co-managed IT approaches that implement these controls consistently while working alongside existing teams.

Staff training that doesn’t slow clinical operations

Technology alone can’t stop social engineering. There’s no piece of technology that can prevent social engineering attacks. It requires awareness, education, and training.

Training approach that works for busy clinical teams:

Short, role-based micro-lessons: 5-10 minutes maximum, specific to what each role encounters. Front desk staff need different training than billing personnel or clinical providers.

Healthcare-specific scenarios: Generic cybersecurity training misses the mark. Your staff needs to recognize fake patient schemes, vendor impersonations, and insurance urgency tactics specific to healthcare workflows.

Monthly cadence instead of annual sessions: Security changes daily, as the webinar emphasizes. You really need to stay aware and reassess your environment constantly. Annual training becomes outdated before the year ends.

Make reporting easy and celebrated: Track speed-to-report as your key metric, not just click rates. Even clicks matter less if staff quickly report suspicious emails. Create a no-blame culture where reporting potential threats is praised.

What to teach in plain language:

• “Pause and verify” before clicking, downloading, or changing any payment information
• How to spot healthcare-specific social engineering (the fake patient scenario, vendor impersonation tactics, urgent insurance requests)
• When to use the “Report Suspicious” button (make it the default for anything that seems slightly off)
• Why callback verification matters for unusual requests, especially financial changes
• How personal social media posts become fuel for targeted attacks

Run fake phishing tests monthly with instant micro-training for anyone who clicks. Track patterns by location and role to see where you need more training. This documentation also proves to insurers that you have a real security awareness program.

Finance controls that protect cash flow

Social engineering attacks increasingly target your money, bypassing technical security to steal cash directly. BEC attacks now represent 60% of cyber insurance claims filed, averaging $292,000 per incident.

Payment and banking controls to put in place:

Dual approval for payments above threshold: No single person should be able to authorize and execute large payments. This separation of duties stops most BEC fraud.

Out-of-band verification for account changes: If someone asks to change payment info, vendor banking details, or invoice procedures, verify through a known phone number. Never reply to the request email. Never click links in emails about money.

No financial changes via email, ever: Make this non-negotiable. All payment changes require phone verification at minimum.

Quarterly vendor access reviews: Shut off unused integrations and expired vendor accounts. When you’re growing, vendor access piles up without cleanup, creating unnecessary risk.

Building your insurance evidence package

Insurers want proof you had required controls in place before a breach. Scrambling to document everything after the fact won’t help when claims adjusters start digging.

What to document automatically:

Training records: Dates, topics, and who completed what. Your learning system should spit these out quarterly.

MFA enrollment: Who has it, what their role is, where they are. Track both enrollment and whether people are actually using it.

Phishing test results: Trends over time, response rates by location, and how fast people report suspicious emails.

Quarterly access reviews: Documented sign-offs showing you regularly check who has access to what.

Incident response plan testing: Dates and outcomes from practice runs. The webinar emphasizes this is common, insurers want proof you’ve actually practiced your plan, not just written it.

Security risk assessments: Run these after major changes like new locations, EHR updates, or vendor changes. Annual assessments alone won’t cut it for picky underwriters.

Insurance-ready checklist:

• ☐ MFA coverage across all locations with implementation dates
• ☐ Training completion rates with individual records by site
• ☐ Incident response plan that’s documented and tested
• ☐ Security risk assessment from the last 12 months
• ☐ Pen testing or vulnerability scan reports
• ☐ Quarterly access review documentation
• ☐ Vendor security assessment records
• ☐ Proof of 24/7 monitoring

Organizations seeking support for healthcare technology operations can maintain this documentation automatically while implementing the underlying security controls with the right partner.

Common implementation pitfalls to avoid

What doesn’t work:

MFA theater: Push prompts without number-matching just train people to click “approve” without thinking. You’ve defeated the whole point.

One-and-done annual training: Doesn’t change behavior, doesn’t meet evolving threats, and doesn’t satisfy insurance requirements. The webinar’s emphasis on security changing day by day makes annual training obsolete before it’s complete.

Tool sprawl without strategy: Buying more security products without fixing identity and access fundamentals just creates complexity without improving protection.

Checkbox compliance: Policies that exist on paper but aren’t actually followed. Insurers specifically investigate whether you followed documented policies during breach investigations.

Ignoring finance workflows: Security that focuses only on technical controls misses the BEC attacks that represent 60% of insurance claims.

Working in silos: Effective programs need coordination across IT, operations, finance, and HR. Organizations often have each location or department managing security independently, creating gaps attackers exploit.

Signs your program has gaps:

• You can’t quickly tell who has access to what across all locations
• Training completion varies wildly by site
• No clear process for reporting suspicious emails
• People approve payment changes via email
• Your cyber insurance premiums keep climbing despite being “compliant”
• You’re not sure if former employees still have access

From compliance burden to operational resilience

National Cybersecurity Awareness Month reminds us what growing healthcare IT teams already know: social engineering attacks are constant, sophisticated, and built specifically to exploit how healthcare works. The difference between organizations that get devastated by breaches and those that contain them quickly? Preparation, not luck.

The insurance industry’s tighter requirements aren’t just bureaucratic hoops. They’re actually a framework for real protection that happens to satisfy underwriters too. Organizations that build strong social engineering defenses see real benefits beyond lower premiums:

Less operational chaos: Staff who spot and report suspicious activity contain incidents before they blow up. Your help desk spends less time cleaning up after attacks.

Protected cash flow: Stopping BEC attacks means no fraudulent payments to chase down, no emergency money transfers, no vendor trust issues.

Faster response when things go wrong: Teams that practice work efficiently under pressure instead of making it up as they go.

Better staff awareness: Employees who understand real threats make better security decisions all day long, which means fewer help desk tickets and security incidents.

As mentioed in the webinar, a third of conversations now start with clients saying their cyber insurance company is asking for specific controls. Getting ahead of these requirements prevents premium shocks, claim denials, and the operational chaos of scrambling to implement controls while trying to renew coverage.

How Focus Solutions supports scaling healthcare organizations

Building real social engineering defenses while growing fast across multiple locations creates serious operational challenges. We work as your Unified Partner alongside your IT team (not replacing them) to put technical controls in place through Managed IT, Managed Security, and Managed Data services, coordinate training across sites, and maintain the documentation insurers require.

Our approach means your team focuses on strategic work while we handle consistent rollout, training coordination, and compliance documentation. You don’t need to add headcount, and every location maintains the same security standards.

Next step: Pick one thing from this roadmap and do it within 30 days. Start with number-matching MFA or the suspicious email reporting button. Both show immediate results and satisfy key insurance requirements. The goal isn’t perfection, it’s measurable progress toward real protection.

Want to discuss your current security posture and map out next steps? Contact Focus Solutions to schedule a conversation about building defenses that protect your operations while keeping insurers happy.

Schedule a risk assessment