Industries · Healthcare

Patient records out, ransomware in.

Healthcare is the highest-target sector globally for both data theft and ransomware, because patient records are unusually valuable on the black market and clinical disruption forces fast ransom decisions. RiskSense generates the EHR, lab-result and supplier phish your staff are actually getting, with reports that line up to HIPAA, Privacy Act 2020, UK GDPR and NHS DSPT requirements.

Protect your team for freeTalk to us

Why Healthcare keeps getting hit

A complete patient record is worth ten to fifty times more on the black market than a credit card record — they're long-lived, hard to revoke, and useful for insurance fraud. On top of that, clinical disruption from a ransomware attack creates immediate patient-safety pressure, which is why healthcare organisations have one of the highest ransom-payment rates of any sector. Both vectors usually start with a phishing email to someone in the practice.

Patient record theft (sold for identity and insurance fraud)
Ransomware on the EHR or PACS imaging system
Credential theft for payer / insurer portals
Medical supplier impersonation for fraudulent invoicing
Practice email account takeover for onward phishing of patients
Pharmacy / pharmaceutical supply spoofing

Compliance frameworks that touch SAT

These are the regulations and standards in Healthcare where ongoing security awareness training is either required or strongly expected.

HIPAA Security Rule

US

§164.308(a)(5) requires a security awareness and training programme for all members of the workforce, with periodic reminders and ongoing phishing-style training.

HITECH / HHS OCR

US

Enforcement-side expectation: in the event of a breach, OCR will ask for evidence of recent SAT activity. Absence has materially affected penalty calculations.

Privacy Act 2020

NZ

Notifiable privacy breach regime makes the cost of a phish-driven leak material. Health Information Privacy Code adds sector-specific weight.

Health Info Privacy Code 2020

NZ

Sector-specific code under the Privacy Act covering all health agencies — reasonable security safeguards explicitly include training.

UK GDPR / DPA 2018

UK

Article 32 requires appropriate technical and organisational measures, with ICO guidance specifically calling out staff training on phishing as part of that baseline.

NHS DSPT

UK

The Data Security and Protection Toolkit standards include staff training as a mandatory annual assertion for NHS organisations and their suppliers.

Privacy Act 1988 + NDB

AU

Notifiable Data Breaches scheme makes any healthcare breach reportable. Reasonable steps under APP 11 include awareness training.

HITRUST CSF

Global

Awareness and training control family (HRA.01) requires evidence of recurring training including phishing exercises.

Phish your healthcare staff are actually getting

Patterns we see most often. RiskSense generates these automatically from your tenant context, not from a template library.

Pattern 1

EHR / patient system sign-in alert

Email purporting to come from your electronic health records system warns of an unusual sign-in and asks the recipient to verify or face account suspension.

What tips Glitch off
  • Sender domain is close to but not the real EHR vendor (e.g., epic-secure.com vs the real epic.com tenant)
  • Real EHR vendors send admin alerts through your IT admin, not direct to clinicians
  • Login link routes to a credential harvesting page on a third-party host
  • Urgency framing — '24 hours to verify' — designed to bypass verification
Pattern 2

Lab result reset request

Email claims to be from the practice's pathology lab, saying a result couldn't be delivered and asking you to log into the lab portal to retrieve it.

What tips Glitch off
  • Real labs push results directly into your EHR via secure messaging, not via portal login
  • Domain is similar but not the actual lab's domain
  • Generic patient reference — no specific patient name or referral number
  • Login form requests EHR-system credentials, not lab-portal credentials
Pattern 3

Medical supplier invoice change

Email from a known medical or pharma supplier notifies you of a banking detail change ahead of the next monthly invoice cycle.

What tips Glitch off
  • Bank account changed without prior written notice from the supplier
  • Reply-to address differs from the sender
  • No follow-up phone call to confirm — supplier finance teams call for changes this material
  • Comes from a personal-looking subdomain, not the supplier's tenant
Pattern 4

MFA approval bombing from 'IT'

Email or push notification asks the clinician to approve an MFA prompt on their phone for 'a routine sign-in test by IT'.

What tips Glitch off
  • IT never asks users to approve unsolicited prompts
  • The sender domain is a near-miss of the practice's actual IT domain
  • Vague framing — 'a test' — without a ticket reference
  • If you didn't initiate a sign-in, deny it

Cyber insurance angle

Healthcare cyber insurance has tightened more than almost any other sector. Insurers now treat SAT as a hard underwriting condition, particularly for any organisation handling personal health information. A breach without documented SAT in place tends to mean policy denial plus a regulator-driven enforcement action — both expensive, both avoidable. RiskSense produces per-clinician evidence that satisfies both the insurer and the regulator.

Read the full cyber insurance breakdown →

Questions healthcare teams ask

Does HIPAA explicitly require phishing simulations?

HIPAA Security Rule §164.308(a)(5) requires a security awareness and training programme. It doesn't name phishing simulations specifically, but in practice OCR investigations after a breach consistently ask for evidence of phishing-style training and how the programme is kept current.

We're a small practice — do we still need this?

Yes. Solo and small practices are over-represented in healthcare breach statistics precisely because attackers know the controls are weaker. HIPAA, Privacy Act 2020 and UK GDPR all apply at small scale; they don't have a minimum-staff threshold.

Are visiting clinicians and locums covered?

If they have an email account on your tenant, yes — RiskSense covers all users on the connected tenant by default. If they use their own email and just visit, you'd want to extend training via a side programme, which we can support.

Can we exclude staff from simulations during a critical clinical period?

Yes. Campaign cadence is per-tenant and can be paused for specific teams or during clinical-priority windows (year-end, audit periods, accreditation cycles). The compliance side keeps running on training and coaching.

Will the reports satisfy our HIPAA risk analysis?

Yes. RiskSense produces the evidence pattern OCR typically asks for: training records per workforce member, simulation events and outcomes, post-click coaching completion, and aggregate trend data. Reports are exportable for inclusion in your risk analysis documentation.

What about NHS / UK DSPT submissions?

Yes. The DSPT data-security-and-protection standards specifically require evidence of staff training. RiskSense reports align with the assertion structure.

Get a healthcare-aware programme running today.

60 seconds to set up. No credit card. Reports your auditor and your broker will actually accept.

Protect your team for freeSee other industries