Hospitals are facing an unprecedented wave of phishing attacks, and AI is making them harder to catch.
In late 2024, credential phishing incidents surged by more than 700%, powered by generative AI tools that can instantly create convincing emails, fake login pages and text messages. These attacks are bypassing traditional defenses and putting patient data, financial systems and clinical operations at risk.
AI-driven phishing is already reshaping the threat landscape, and no organization in the health sector can afford to fall behind. Rather than reacting to every new tactic, healthcare organizations should focus on securing identity, enforcing strict access controls and approaching every login with caution.
AI is changing phishing
Healthcare is built on trust and constant information access, and this is a threat that the industry can’t ignore. Every compromised login is a data breach waiting to happen, but it’s also a potential doorway to ransomware, system outages and lasting reputational damage.
Generative AI has dramatically lowered the barrier for launching sophisticated phishing campaigns, and health organizations are feeling the pressure.
Tools like ChatGPT, Google Gemini and other AI text generators make it easy for would-be attackers to produce near-flawless emails, login pages and text messages in seconds. What once required time and technical expertise can now be done by nearly anyone – quickly, cheaply and at scale.
Healthcare systems are especially vulnerable. Their large, decentralized workforces and networks of third-party vendors create constant, legitimate-seeming reasons to request credentials.
AI allows attackers to mimic internal IT alerts, HR messages or patient care requests with alarming accuracy, often using real staff names, logos and organizational language pulled from public sources.
What makes these attacks especially dangerous is their adaptability.
Attackers can test multiple versions of a phishing message, adjusting tone, formatting and phrasing, until one starts getting through. AI makes this trial-and-error process fast and scalable. While the messages aren’t typically changing in real time, the iterative process allows attackers to quickly refine their content based on what’s working, often slipping past filters and fooling even careful employees.
Identity security is critical
In the current threat environment, firewalls and network protections aren’t enough. The real target in most cyberattacks isn’t the system, it’s the person logging in.
Every access attempt presents a potential risk that health organizations must verify, monitor or block in real time. That’s not always convenient for staff, but with AI-enhanced phishing on the rise, stronger habits need to become standard practice.
Generative AI has made it far easier for attackers to pose as legitimate users. One stolen login can now unlock patient records, financial data or the systems that power clinical operations. That’s why identity has become the most critical layer of defense.
An identity-first approach shifts the focus from defending the perimeter to managing access. Attackers no longer need to force their way in, they’re logging in with stolen credentials.
To stop them, organizations must treat every login like a potential threat and limit access to what that user needs at that particular time. Strong authentication, tight role-based permissions and continuous monitoring make it harder for intruders to move through systems undetected.
But technology alone won’t solve the problem.
Even the best tools fail if frustrated users find ways around them. Clear policies, strong leadership support and regular, real-world training help staff understand why these extra steps matter, not just for IT, but for patient safety and operational continuity.
Building identity-first security
Implementing identity-first security in a healthcare environment requires careful prioritization.
Start by auditing your user directory and mapping out who has access to what, including third-party vendors and older, overlooked accounts tied to outdated systems or long-departed staff. These so-called legacy accounts often remain active longer than they should and can become easy entry points for attackers.
From there, prioritize rolling out phishing-resistant multifactor authentication to the accounts with the highest access privileges, such as electronic health record platforms, remote admin tools and financial systems.
Next, implement continuous monitoring tools that flag risky behaviors like logins from unfamiliar devices, after-hours access or credential use from multiple locations. Many EHR systems and identity providers now offer built-in activity monitoring features that can be activated with minimal configuration.
Routine access reviews should follow, focusing first on high-risk departments and roles. Establish a formal schedule for these reviews and enforce strict role-based access controls to ensure staff only have the permissions necessary for their jobs.
Lastly, hospital leadership and IT teams should integrate regular security training into clinical and administrative workflows. Use real phishing attempts, ideally anonymized examples from within the organization, to help staff recognize warning signs. Give employees simple, well-publicized ways to report suspicious messages.
Trainers and department heads should also acknowledge the daily pressures staff face, especially in clinical settings, and emphasize that security measures aren’t just IT protocols – they’re safeguards for patient safety, operational continuity and professional accountability.
Small shortcuts can lead to major breaches, and it’s up to managers and security leads to make sure everyone understands what’s at stake.
Errol Weiss is chief security officer at the Health Information Sharing and Analysis Center, or Health-ISAC.
