Healthcare Cybersecurity: Deepfake & AI Voice Scams

In today’s digital age, advances in artificial intelligence (AI) have revolutionized various industries, streamlining processes, enhancing creativity, and improving efficiency. However, this technological progress has also brought new challenges. One of the most concerning is the rise of AI fraud, especially deepfake scams and AI voice scams. The malicious use of AI, including AI phishing and AI voice cloning scams, seriously threatens businesses and organizations and can cause disastrous data breaches and costly ransoms.

The healthcare industry is just as vulnerable to these attacks as any other business sector. In fact, healthcare data such as medical records is an especially valuable target for cybercriminals due to its sensitive nature. At Bridge, we operate at the forefront of cybersecurity to ensure that every aspect of our BridgeInteract patient engagement suite is protected at the highest standard. In this blog post, we will share our knowledge about the dangers of fake AI audios, how they can be used to target companies, and how employees can stay vigilant to avoid falling victim to deepfake scams.

Jump to:

• What Are Deepfake Scams And AI Voice Scams?
• What Is Vishing?
• How Could A Company Be Targeted Using Deepfakes?
• Social Engineering: How Employees Can Fall Victim To Generative AI Scams
• How Companies Can Protect Themselves
• Final Thoughts

What Are Deepfake Scams And AI Voice Scams?

Deepfake scams refer to using AI techniques, specifically deep learning, to create highly realistic digital manipulations of images, videos, and audio. With the right tools, an attacker can fabricate video footage or audio clips that convincingly mimic the voice or appearance of a real person, making it seem as though they said or did something they never actually did.

AI voice scams are AI-generated audio deepfakes that are particularly dangerous for businesses. Using a technique known as “voice cloning”, cybercriminals can recreate a person’s voice with minimal sample data. This deepfake audio can be used for AI impersonation scams. For example, a scammer could impersonate the CEO of a company or any high-ranking executive with just a few minutes of audio recording from public speeches, podcasts, interviews, or even voicemail greetings.

What Is Vishing?

Vishing (a combination of “voice” and “phishing”) is a form of social engineering attack in cybersecurity where attackers use voice communication (e.g., a phone call) to trick individuals into revealing sensitive information, such as passwords, credit card numbers, or other personal data. Traditional phishing attacks attempt to trick targets through email or text, but voice can be even more convincing. Vishing often exploits human trust by mimicking legitimate sources, such as banks, government agencies, or company executives.

AI voice scams are simply a more technologically sophisticated form of vishing, using AI voice cloning to mimic trusted individuals.

How Could A Healthcare Company Be Targeted Using Deepfakes?

Cybersecurity is especially important for healthcare organizations. The average cost of a healthcare data breach is $10.93 million , the highest among all industries (1). Sensitive data can be held for ransom by hackers, sold on the black market, or leaked to damage an institution’s reputation. A healthcare company that suffers a data breach may also incur further financial penalties for failing to comply with the security standards mandated by HIPAA, not to mention lost revenue due to disrupted operations.

• Learn more about how BridgeInteract streamlines your patient engagement strategy while securing sensitive data. View a demo.

Cyberattacks on healthcare also carry a heavy cost in human life. In a recent survey by Cyber Magazine, 28% of healthcare companies reported increased patient fatalities due to cyberattacks, a 5% rise over the prior year (2).

• $10.93 million – Average cost of healthcare data breach
• 28% of healthcare companies – Suffered increased fatalities due to cybercrime

Given the high stakes involved, it’s crucial to know the types of potential AI scams and prepare accordingly. Let’s go over some examples:

1. Fake Executive Orders
   Imagine receiving a phone call or voicemail from your CEO urgently requesting a wire transfer or providing confidential information. You recognize their voice, so you comply without question. However, it turns out that the request came from a sophisticated AI-generated audio scam. This tactic could be used in financial departments, where attackers trick employees into transferring funds to fraudulent accounts, or any other department of interest for the attackers where data could be extracted.
2. AI-Phishing With Voice
   Traditional phishing emails or messages often raise red flags because they might contain typos, odd phrasing, or unexpected attachments. But what if you receive a voicemail from a trusted colleague or manager instead of an email? In a spear-phishing campaign, a scammer could use deepfake audio to impersonate a high-level employee, directing a subordinate to click a malicious link, download software, or change security settings, paving the way for larger attacks like ransomware.
   

   For instance, attackers could impersonate the IT manager’s voice and ask an employee to reset critical security systems or provide access credentials.

3. Social Engineering For Espionage
   Deepfakes can also be used for corporate espionage. Cybercriminals may impersonate a senior leader’s voice, setting up fake meetings or phone calls with external partners, vendors, or even internal employees. During these interactions, they could glean sensitive business information or trade secrets that give them leverage over the company.This type of attack could also tarnish a company’s reputation, where a fake video or audio leak of an executive making inappropriate statements could lead to significant PR crises.

Social Engineering: How Employees Can Fall Victim To Generative AI Scams

Social engineering attacks rely on manipulating human emotions and trust. When an employee believes they are interacting with a trusted authority figure, they are less likely to question the legitimacy of the request. With deepfake scams using AI-generated audio, attackers are able to exploit this trust even more effectively.

Techniques that might be used in social engineering attacks involving deepfakes include:

• Urgency: Attackers may create fake scenarios that induce panic or pressure. For instance, the scenario we discussed involves a CEO calling an employee and asking him to make an urgent wire regarding a high-stakes business deal. Employees may comply for fear of disappointing their superior or missing a critical deadline.
• Familiarity: An attacker might use publicly available information (from social media or LinkedIn) to impersonate a colleague or executive who has a personal rapport with the employee. If the message includes familiar phrases or references personal details, it may seem even more legitimate.
• Authority: Employees are often conditioned to follow the instructions of those higher up in the organizational hierarchy. Employees may not think twice before acting on the request if a voice sounds convincingly like the CFO or Head of Operations.

How Companies Can Protect Themselves

Given the rise in these types of scams, businesses must stay ahead of the curve by implementing these preventive measures:

1. Employee Training And Awareness
   Regular phishing training is no longer enough. Employees need to be aware of the potential for AI-generated deepfakes. Simulated phishing exercises and instruction on the risks of audio deepfakes can help employees recognize suspicious situations. Employees should always verify any unusual or unexpected requests, especially when financial transactions are involved.
2. Two-Factor Authentication For Requests
   For sensitive matters like financial transactions, companies should establish a two-factor authentication process. This could involve cross-checking the request via a different communication channel or using secure, company-wide systems that are hard to fake. Biometric authentication (e.g., face or fingerprint recognition) can also be used to verify individuals.
3. Implement Strict Verification Policies
   When a request seems urgent or unusual, especially if it involves money or confidential information, employees should be trained to verify it directly through known, trusted methods, such as calling the executive or colleague through their personal verified number.
4. Monitoring And Detection Tools
   Advanced cybersecurity tools can be implemented to detect unusual patterns in communication, such as voice recognition technology to verify if a speaker is actually who they claim to be. Cybersecurity companies are also working on systems to detect deepfake audio and video, although this is still a developing field.

Final Thoughts

Deepfakes and AI-generated audio scams represent a new frontier in cybercrime, where trust and credibility can be easily manipulated. For healthcare companies, the stakes are high; falling victim to one of these scams could result in significant financial losses, reputational damage, and legal complications.

The complex digital infrastructure of the modern healthcare supply chain means that healthcare providers don’t just need to manage their own cybersecurity—they must also carefully vet any software partners or vendors and ensure that these third parties are also secured to the highest standard. Otherwise, any vulnerability in the supply chain can lead to a costly breach.

Vigilance and awareness are key to staying ahead of cybercriminals in this fast-evolving digital landscape. To protect yourself against AI voice scams and all kinds of cyberattacks, it’s recommended that you minimize vulnerabilities by consolidating the various digital healthcare tools (patient portal, EHR, RCM, scheduling, and other online services) into a single platform that complies with the highest cybersecurity standards.

Partnering with a single, comprehensive solution provider like BridgeInteract can significantly enhance security. BridgeInteract is a modular patient engagement platform that offers a wide range of patient-facing tools in a unified system, including a patient portal, bill pay, telehealth, HIPAA-compliant messaging, and more. Organizations can tailor the platform to their needs while benefiting from robust cybersecurity measures.

BridgeInteract is SOC 2 certified and employs advanced security protocols, such as strong encryption, state-of-the-art firewalls, and HIPAA-compliant cloud solutions, to protect sensitive patient data. Additionally, it meets the ONC Certification Criteria for Health IT and is certified by an ONC-Authorized Certification Body (ONC-ACB), aligning with the standards set by the Secretary of Health and Human Services. Learn more at BridgeInteract Certifications.

Don’t settle for less than the highest level of security for your digital tools. Contact us to learn how BridgeInteract can help you achieve your business goals while safeguarding your organization from cyberattacks.

Read more on healthcare cybersecurity:

• How To Secure Your Healthcare Supply Chain
• Healthcare Application Security: How To Protect Patient Data
• Patient Engagement Cybersecurity Tips

Sources:

• Security Intelligence. (2023). Cost of a Data Breach 2023: Healthcare Industry Impacts. Available at: Link. Accessed December 9, 2024.
• Cyber Magazine. (2024). Cyber attacks threaten healthcare supply chains. Available at: Link. Accessed December 9, 2024.