These hackers walked in through the front door, using the hospitals’ IT departments and tricking them into giving away credentials.
We usually think of the IT staff as the first line of defense against cyber threats, but the attackers used phone calls and social engineering to convince the person who answered the phone to give up information. The thief on the phone claims to be a financial employee (specifically in a revenue cycle or administrator role).
The American Hospital Association (AHA) first warned its members about this scheme in January but recently sent an updated warning because the problem has continued to plague hospitals.
The HHS Health Sector Cybersecurity Coordination Center (HC3) has taken a proactive stance against this tactic, issuing a sector alert and proposing several prevention actions. Their key measure is to enforce callbacks to the verified number on file for the employee in question, empowering the IT staff to verify information and stop potential attacks.
Social Engineering is a Powerful Tactic
According to the AHA, attackers use minimal stolen personal identity information to pose as insiders. They can answer one or more security questions the IT help desk poses. But then the cyber thief goes further:
The threat actor then requests a password reset and requests to enroll a new device, such as a cell phone, to receive multi-factor authentication codes. This new device will often have a local area code. This effectively defeats multi-factor authentication, including SMS text and higher level “phishing-resistant” MFA, to provide full access to the compromised employee’s email account and other applications. The threat actor has reportedly used the compromised employee’s email account to change payment instructions with payment processors and divert legitimate payments to fraudulent U.S. bank accounts or deliver malware into the network. The funds are believed to be transferred overseas, as with other payment diversion schemes.
The AHA recommends strict IT help desk protocols to help identify and stop these sophisticated schemes. For example, organizations may want to contact the supervisor on record of the employee making a help desk request; the help desk staff could require a video call with the requesting employee and take a screenshot of the employee presenting a valid government-issued ID. One large health system now requires employees making such requests to appear in person at the IT help desk.
Workforce Training Can Weaken Social Engineering Tactics
HIPAA requires that staff receive cybersecurity awareness and basic HIPAA training regularly, at least once a year. Many need to be aware of how social engineering works and don’t recognize it when it happens. It has been described as psychological manipulation – an unsuspecting target engages in conversation via phone or email and is made to feel comfortable with giving up information. However, once staff is aware of this tactic, they find it easier to recognize and defend against it.