(by Kritika Gaur)
FBI warned Plastic surgery offices in the United States that they are under a cybersecurity threat of targeted attacks by cybercriminal to steal sensitive data, including patient's medical records and photographs, for extortion purposes. The warning highlights a multi-stage approach used by attackers to maximize criminal profits.
In the first stage, cybercriminals use various method to get access to the networks of plastic surgery offices to gather sensitive data by employing tactics such as phishing with spoofed email addresses or disguised phone numbers, social engineering and more. The stolen data, including electronic protected health information (ePHI) and photographs is obtained by the cybercriminals which is then enhanced in the second stage through open-source information
and social media data. AI techniques can be used to make the work easier to enrich the stolen data. The final stage involves extortion, where criminals contact surgeons and patients, demanding payment in exchange for not publishing the stolen data. Some attackers go further by sharing the sensitive information with friends, family, or on the dark web to apply additional pressure.
Impact
The targeted cyberattacks on plastic surgery offices pose significant risks to patient privacy
and security. The potential exposure of personal information, combined with before-and-
after surgery photographs is clear intrusion into privacy and cause significant damage to victim in multiple ways.
The extortion tactics employed by cybercriminals, including threats to publish sensitive data,
create a distressing situation for individuals who may become victims. The FBI's warning
underscores the need for necessary cybersecurity measures in healthcare institutions and
emphasizes the importance of user awareness and proactive security practices to mitigate
such threats.
Recommendation
The FBI advises plastic surgery offices and patients to file complaints of fraudulent or suspicious activities at the Internet Crime Complaint Center (IC3).
Additionally, individuals are urged to take proactive measures to protect themselves, including strengthening the privacy settings of social media accounts, using unique and strong passwords, employing two-factor authentication, and monitoring bank accounts and credit reports for any signs of suspicious activity.
Comentários