Earlier this week, the FBI and HHS released a joint security advisory about stolen payments.
What happened
On June 24th, the FBI and HHS released a cybersecurity advisory to help healthcare organizations recognize indicators of compromises, including common tactics, techniques, and procedures (TTPs).
Currently, it’s believed that threat actors are using phishing schemes, which are conducted over email, to steal login credentials. Once accounts are accessed, malicious actors can then transfer payments through ACH.
According to the report, healthcare organizations are frequent targets because of their size, technological dependence, access to personal information, and the negative impact downed operations can have on patient care.
Going deeper
With the rise of these attacks, the FBI and HHS have observed several common TTPs.
Unknown actors frequently gain initial access through employee accounts and then pivot to target login information related to reimbursement payments for insurance companies or similar organizations.
In some cases, malicious actors have also called IT Help Desks, posing as an employee to reset the password. Often the actors have personal information from the impersonated employee gained from past data breaches.
Other strategies used by threat actors include voice over Internet protocol numbers (virtual phone numbers used over the internet, VoIP), phishing/spearphishing, modifying or disabling multi-factor authentication, financial theft, bypassing of other authentication mechanisms, and impersonation.
What’s next
The advisory provided information on how healthcare organizations can mitigate attacks. Strategies include:
- Implementing multi-factor authentication (MFA) for every account.
- Train IT Help Desk employees and ensure that MFA is not bypassed.
- Frequently check phone call logs for VoIP.
- Reduce threats of malicious actors using remote access tools by auditing remote access tools, reviewing logs for the execution of related software, using security software for detection, requiring authorized remote access (such as the use of VPNs), blocking inbound and outbound connections, and applying recommendations from this guide.
What was said
In response to the advisory, the American Hospital Association (AHA) released a statement.
The AHA said they had initially been made aware of the scheme in January and it has also been discussed by the HHS in previous months.
John Riggi, AHA national advisor for cybersecurity and risk said, “The alert validates the ongoing and serious nature of this social engineering scheme as the AHA continues to receive similar reports from the field in regard to IT and human resources help desk social engineering schemes.”
Riggi also suggested healthcare organizations conduct social engineering tests and that payers should be made aware of any changes in process due to this threat.
Lastly, Riggi added that the Fourth of July can lead to increased risk, “Cyber adversaries have demonstrated a pattern of increased technical and social engineering targeting of health care during the holidays. Maintaining vigilance and staff cyber awareness is critical as we enjoy a safe holiday.”
The big picture
Threats like these require not only the right security tools and protocols but also strong staff awareness regarding threat tactics.
Unfortunately, surveys show that many staff are unaware of the importance of cybersecurity or don’t view it as a priority. To help prevent this issue from continuing, it’s important for employees to have a thorough understanding of their role in data security.
The best strategy, however, is automation through tools like Paubox, which ensures that every email going in and out of your network is safe and secure.
Read more: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
