Smishing threats and the challenge of staying HIPAA compliant

SMS phishing represents a growing cybersecurity threat that directly challenges the ability of healthcare organizations to remain compliant with HIPAA. Smishing attacks exploit the widespread use of smartphones and the trust users place in text messages, often impersonating legitimate healthcare entities or leveraging urgent health-related scenarios to trick recipients into revealing sensitive information or clicking malicious links.

The journal article published in Neural Computing & Applications ‘DSmishSMS-A System to Detect Smishing SMS’, discusses how smishing operates, “Smishing detection is a challenge not only because of features constraint but also due to the scarcity of real smishing datasets…Another risk factor... is that people often use mobile devices on the go... This leads users to respond... and click on malicious links.”

These attacks can deceive healthcare staff or patients into divulging credentials, downloading malware, or submitting confidential information to fraudulent sites. Each of these may result in unauthorized access to electronic health records or other data. 

Smishing and how it differs from email phishing

Smishing is a cyberattack technique in which perpetrators use text messages to deceive recipients into divulging sensitive information, clicking malicious links, or downloading harmful software. While both smishing and traditional email phishing share the common goal of tricking victims into surrendering confidential data or credentials. Smishing exclusively targets mobile phones and smartphones through SMS or other messaging platforms, leveraging the immediacy and personal nature of text communication. The reason it is particularly effective is illustrated in an MDPI open access article ‘The Effect of SMiShing Attack on Security of Demand Response Programs’, “Generally, a threat coming through an SMS message is not expected by users which makes SMiShing attacks easy to exploit.”

Email phishing typically targets users via email on a variety of devices, including desktops, laptops, and tablets. The content of smishing messages is often concise, employing abbreviations, symbols, and shortened URLs to fit within SMS character limits and evade detection. Smishing attacks frequently create a sense of urgency or authority, such as impersonating healthcare providers, banks, or government agencies. 

Unlike phishing emails, smishing relies on the limited context of text messages, making it harder for recipients to verify authenticity. Mobile users are often less vigilant about security risks, especially when multitasking or responding on the go, increasing the likelihood of falling victim to smishing.

Why smishing is a serious HIPAA compliance threat

Missouri Medicine notes the risk of smishing to the healthcare sector, particularly, “Healthcare professionals appear especially vulnerable to these risks as fraudsters presume they have higher incomes, are more focused on patient care than data and e-commerce risks, and have access to large amounts of confidential data.” The healthcare sector is particularly vulnerable to data breaches, accounting for over 60 percent of reported incidents in recent years. A large proportion is attributed to external attacks such as phishing and smishing. 

Smishing attacks exploit the trust and immediacy associated with SMS communication, often impersonating healthcare providers or leveraging urgent health scenarios to manipulate recipients into revealing credentials or sensitive information. Once attackers obtain access through smishing, they can infiltrate electronic health record systems, exfiltrate protected health information (PHI), or deploy malware and ransomware, all of which constitute impermissible disclosures under HIPAA.

They are difficult to detect and prevent due to the limitations of SMS filtering technologies, the brevity and ambiguity of text messages. Healthcare staff and patients may not be adequately trained to recognize smishing attempts, increasing the risk of successful attacks.

High-risk scenarios that occur in healthcare 

• Community Health Center (CHC) data breach: In January 2025, CHC in Connecticut reported a data breach affecting over 1 million patients due to unauthorized access to personal and health information. Although the specific vector isn't detailed, such unauthorized access often stems from compromised credentials obtained through social engineering.
• New York Blood Center cyberattack: A cyberattack on the New York Blood Center disrupted scheduling systems and compromised donor information, impacting the region's blood supply. Attacks on critical healthcare infrastructure often leverage initial access gained through phishing or smishing.

How can covered entities prevent smishing attacks?

Given the unique challenges of detecting and mitigating smishing, like the brevity and informality of SMS messages and the limitations of traditional security filters, implementing machine learning-based detection systems has proven highly effective. The Neural Computing and Applications journal article demonstrated the utility of models that analyze the legitimacy of URLs within SMS messages and classify message content using efficient feature extraction and backpropagation algorithms, achieving detection accuracies approaching 98%. These systems look at both the domain authenticity and the linguistic characteristics of SMS messages. 

Technical measures alone are insufficient. Covered entities must also prioritize regular, targeted training for all staff members to recognize the signs of smishing, understand the risks associated with mobile communication, and follow established protocols for verifying suspicious messages. Training should include simulated smishing exercises, clear reporting procedures, and guidance on avoiding impulsive responses to urgent or authoritative SMS requests.

Balancing SMS communication with compliance needs 

SMS offers an efficient channel for patient engagement, appointment reminders, and care coordination; on the other hand, it introduces risks of unauthorized disclosure of PHI. The previously mentioned Missouri Medicine study notes, “It is important to realize that data security is not purely an IT function… education is critical in safeguarding your data…Because employee ignorance and negligence are a primary cause of breaches, education is critical in safeguarding your data.” To achieve this balance, organizations must adopt a multi-layered approach that combines policy development, technological safeguards, and workforce education.

Workforce training makes sure that staff understand both the benefits and risks of SMS communication, recognize smishing attempts, and comply with established protocols for reporting and responding to suspicious messages. Organizations should implement technical controls such as SMS filtering, domain validation, and mobile device management to monitor and restrict unauthorized access to PHI.

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

Can standard SMS texting be HIPAA compliant?

Standard SMS texting is generally not HIPAA compliant because it lacks encryption, cannot be recalled if sent to the wrong recipient, and messages can be intercepted on public networks. SMS messages are stored indefinitely on carriers’ servers without adequate security controls.

What are the most common cyber threats facing healthcare organizations?

Common threats include ransomware attacks that encrypt critical data, phishing and smishing campaigns targeting staff credentials, insider threats, misconfigured cloud storage leading to data leaks, and attacks exploiting vulnerabilities.

What are the regulatory requirements for healthcare cybersecurity in 2025?

The updated HIPAA Security Rule mandates stricter controls, including mandatory multi-factor authentication, AES-256 encryption for data at rest, TLS 1.2+ for data in transit, biannual vulnerability scans, and annual penetration testing. Organizations must also conduct regular risk assessments and maintain incident response plans to ensure compliance.

How do healthcare organizations manage cybersecurity risks related to connected medical devices?

Organizations must inventory all connected devices, apply security patches promptly, segment device networks from critical systems, and monitor device behavior for unusual activity.