The deepfake and social engineering arms race in healthcare
Cybersecurity leaders across industries have long been aware of the power of social engineering in data breaches. With healthcare data fetching a premium price on the dark web, the use of social engineering to capture this data has skyrocketed. Now, the rise of sophisticated AI and generative technologies—like deepfakes—is intensifying the threat, wreaking havoc on privacy and identity management. Even the top cybersecurity vendors are struggling to keep pace with this escalating arms race.
What is social engineering?
According to the Department of Health and Human Services (HHS), social engineering is the psychological manipulation of individuals to perform actions or divulge confidential information.
For years, phishing has been the most prevalent social engineering risk, where users are tricked into responding to deceptive correspondence, inadvertently giving away personal or corporate data. However, with rapid advances in AI-generated imaging, the threat landscape has evolved. Deepfakes, which can replicate a person’s likeness or credentials with alarming accuracy, now present a serious risk.
How Are deepfakes Being Used in Healthcare?
Deepfakes are AI-generated synthetic media—video, audio, or images—designed to manipulate visual or auditory data. These fabrications can deceive both individuals and systems. Even sophisticated biometric systems like retinal scans are no longer immune to deepfaking.
How deepfake threats manifest in the healthcare sector
1. Impersonating healthcare professionals and patients
Deepfakes can create realistic videos or audio clips of healthcare professionals, such as doctors or administrators, to deceive patients, staff, or entire institutions. These fabrications can be used to:
- Facilitate fraud: A deepfake video or audio message could impersonate a trusted physician or administrator, instructing staff to share sensitive data, perform unnecessary procedures, or make unauthorized changes to medical records.
- Launch phishing attacks: Fake videos or voice recordings mimicking senior healthcare staff can trick employees into clicking on malicious links or disclosing credentials. In extreme cases, deepfakes of family members may be used to request personal or financial data via compromised voicemail systems.
- Example: An attacker might create a deepfake of a hospital CEO to request an urgent wire transfer or access to sensitive systems.
2. Spreading medical misinformation and health literacy scams
Deepfakes are increasingly being used to spread false medical advice, fake testimonials, or promote fraudulent treatments. These manipulations could:
- Harm patients: Individuals may follow dangerous or ineffective treatments based on fabricated videos of doctors endorsing them.
- Erode trust: If deepfakes become more common, patients may struggle to differentiate legitimate medical information from fake, leading to widespread distrust of healthcare providers and systems.
- Example: A deepfake of a respected physician endorsing a harmful health supplement could cause real-world harm.
3. Compromising telemedicine
The rise of telemedicine opens another door for deepfakes, which can be used to impersonate both doctors and patients during virtual consultations. This could enable:
- Medical fraud: Attackers could fake patient identities to obtain prescription drugs or medical services fraudulently.
- Insurance fraud: Deepfake patients could submit fraudulent claims for procedures that never took place.
- Example: A deepfake could impersonate a patient to acquire controlled substances through a telemedicine appointment.
4. Manipulating health records and diagnostic systems
Deepfake technology can also alter medical images, such as X-rays or MRIs, fabricating or changing diagnostic results. This could:
- Influence treatment: Fake or manipulated diagnostic images could lead to incorrect diagnoses, resulting in unnecessary or inappropriate treatments.
- Support insurance fraud: Altered medical images could be used to justify fraudulent insurance claims or unnecessary surgeries.
- Example: A fake MRI showing a non-existent tumor could lead to costly, unnecessary medical interventions.
5. Damaging reputations
Deepfakes can create scandalous or defamatory content involving healthcare professionals, institutions, or public health officials. This could:
- Undermine trust: False information about medical leaders or providers could harm their reputations and erode public trust in healthcare systems.
- Spread disinformation: Deepfakes could manipulate public opinion on healthcare policies or scientific research, contributing to confusion or resistance to critical health measures (e.g., vaccination campaigns).
- Example: A deepfake video of a public health official making offensive statements could undermine public health efforts.
Deepfake prevention
As with any cybersecurity strategy, the first line of defense is human awareness. Healthcare workers and patients need to be educated about the risks of deepfakes and avoid putting high-risk images and documents online. In extreme cases, physical validation methods, like requiring patients to press their identification tightly against their face during video calls, have been implemented to confirm their identity in real time.
On the technological front, several tools are emerging to counter deepfake threats:
- AI detection tools: Machine learning models are being developed to detect manipulated media by analyzing inconsistencies in pixelation, lighting, facial movements, or sound that may be imperceptible to the human eye.
- Watermarking and provenance technology:** Digital watermarks can be embedded into authentic media to verify its source. Blockchain technology can also trace the history and authenticity of media, creating a secure digital trail.
- Deepfake detection tools: Platforms such as Microsoft’s Video Authenticator and other AI-driven solutions from startups are designed to assess the authenticity of videos and flag potential deepfakes.