Healthcare organizations are at increased risk of cyber attacks as threat actors target them in an attempt to steal payments. The FBI and Department of Health and Human Services issued an advisory on June 24, recommending mitigation efforts to reduce the likelihood of these attacks impacting organizations. One common tactic used by threat actors is phishing, where they gain access to employees’ email accounts and then target login information related to processing reimbursement payments to insurance companies, Medicare, or similar entities. In some cases, threat actors have even posed as employees calling an organization’s IT help desk to trigger a password reset for an employee’s account.
The American Hospital Association (AHA) was first alerted to this type of scheme in January, and HHS issued a similar advisory in April. John Riggi, AHA’s national advisor for cybersecurity and risk, emphasized the serious nature of these social engineering schemes that utilize stolen employee information for password resets and enrolling new devices for multi-factor authentication codes. In addition to the recommended mitigations, healthcare organizations are advised to conduct social engineering tests on their help desk functions and implement multi-person authentication for any changes to payment instructions at the organizational level. Payers should also be informed of these requirements.
As the Fourth of July holiday approaches, it is important for healthcare organizations to maintain vigilance and ensure staff are aware of cyber threats. Maintaining a safe holiday season requires awareness and prevention efforts from all members of the organization. For more information on cyber and risk issues, contact John Riggi at jriggi@aha.org or visit www.aha.org/cybersecurity for the latest information and resources on cyber and risk threats
