On June 24, the FBI and Department of Health and Human Services issued an advisory warning healthcare organizations of cyberthreat actors targeting them in an attempt to steal payments. These agencies recommended mitigation efforts to reduce the likelihood of these attacks impacting organizations. Phishing is a common tactic used by threat actors, where they gain access to employees’ email accounts and then target login information related to processing reimbursement payments to insurance companies, Medicare, or similar entities. In some cases, threat actors have even posed as employees calling an organization’s IT help desk to trigger a password reset for an employee’s account.
The American Hospital Association (AHA) was first alerted to this type of scheme in January, and HHS issued a similar advisory in April. John Riggi, AHA’s national advisor for cybersecurity and risk, emphasized the serious nature of these social engineering schemes that utilize stolen employee information for password resets and enrolling new devices for multi-factor authentication codes. To prevent such attacks, healthcare organizations are advised to conduct social engineering tests on their help desk functions and implement multi-person authentication for any changes to payment instructions at the organizational level. Payers should also be informed of these requirements.
As the Fourth of July holiday approaches, it is important to be aware that cyber adversaries tend to target healthcare organizations more aggressively during holidays. Maintaining vigilance and ensuring staff are aware of cyber threats is essential for a safe holiday season. For more information on cyber and risk issues, you can contact John Riggi at jriggi@aha.org or visit www.aha.org/cybersecurity for the latest information and resources on cyber and risk threats
