SPT’s CISO explains how phishing threats in healthcare are evolving—and what to do about it.

Cyberattacks on healthcare systems are growing more sophisticated, especially in the form of phishing. We sat down with Dr. Anya Sharma, Chief Information Security Officer at Secure Patient Technology, to discuss the latest trends and what healthcare organizations should be doing right now to protect their teams and data.

What’s changed in phishing over the past year?
“The language. The impersonation. The timing. We’re no longer seeing just generic emails with bad grammar. These are highly targeted, well-researched attacks that mimic internal senders, legal notices, or even vendor communications.”

And they’re still effective?
“Unfortunately, yes. The pressure and volume of communication in healthcare makes it easier to miss small red flags. A link from ‘IT’ during a platform update? People click. A calendar invite from an unknown vendor? People accept. That’s why phishing in healthcare has one of the highest success rates across industries.”

How are phishing attacks specifically targeting clinical staff?
“We’re seeing campaigns that mimic EHR alerts or shift notifications. Some impersonate prescription refill services. The goal is to appear urgent, relevant, and routine. And that combination makes frontline staff especially vulnerable.”

What has SPT done to address this threat internally and for its clients?
“We treat phishing not just as a technical threat, but as a human vulnerability. Internally, we conduct dynamic phishing simulations, update our internal playbooks quarterly, and route suspicious messages through a monitored triage system. For clients, we offer embedded anti-phishing protocols and helpdesk macros to reinforce training at the point of risk.”

If you could give one piece of advice to every healthcare CISO today, what would it be?
“Assume the attack is already in your inbox. The faster your people can recognize it, report it, and isolate the vector, the less damage it does. Defense is no longer just infrastructure—it’s awareness.”

What’s next? How do phishing scams continue to evolve?
“I expect we’ll see more multi-channel attacks—email that links to SMS, fake scheduling apps, or credential requests that pass through legitimate third-party tools. AI-generated phishing attempts will also increase in realism. Our job is to stay ahead, not just react.”

Secure Patient Technology is committed to proactive protection. That means helping healthcare systems secure not just data—but behavior, access, and trust.

Stay informed. Stay vigilant. Stay protected.