The American Hospital Association (AHA) issued a caution to hospitals about a confirmed IT help desk social engineering scheme, urging them to stay vigilant and report any instances to the Federal Bureau of Investigation (FBI). This intricate scheme involves threat actors strategically leveraging stolen identities, specifically those of revenue cycle employees or individuals holding sensitive financial roles within healthcare organizations. The threat actors exploit these pilfered identities when contacting IT help desks, utilizing the stolen personally identifiable information to convincingly respond to security questions.
Once the threat actors gain this initial access, their approach involves initiating a request for a password reset along with the enrollment of a new device, frequently a cell phone. This device often carries a local area code, a subtlety that facilitates the threat actor’s circumvention of multi-factor authentication measures. With this manipulated access, the threat actor can bypass multi-factor authentication, gaining unrestricted access to the compromised employee’s email accounts and other critical applications. Adding a layer of severity to this scheme, there have been documented instances where threat actors, operating from the compromised employee’s email account, manipulate payment instructions. In these cases, they redirect legitimate payments to fraudulent U.S. bank accounts, leading to a severe financial impact on the targeted healthcare organizations. These fraudulently acquired funds are also systematically funneled overseas, highlighting the global reach and consequences of the threat.
John Riggi, AHA’s national advisor for cybersecurity and risk, described the scheme as “innovative and sophisticated,” emphasizing the need for stringent IT help desk security protocols. Proposed measures include implementing a call-back procedure to the number on record for employees requesting password resets and new device enrollments. Organizations may also consider contacting the supervisor associated with the employee making such requests. In response to falling victim to this scheme, one large health system now mandates that employees appearing in person at the IT help desk for such requests. Riggi stressed, “This scheme once again demonstrates how our cyber adversaries are quickly evolving their tactics to defeat technological cyber defenses through social engineering schemes.”
The AHA strongly recommends a proactive post-incident approach, emphasizing the prompt notification of financial institutions and the FBI, particularly within the 72-hour window following any payment diversion. Immediate reporting is necessary for recovering diverted payments and mitigating financial impacts. This collaborative effort among healthcare entities, financial institutions, and law enforcement is key for disrupting threat actors’ activities. Advancements to social engineering schemes requires continuous vigilance in the healthcare sector, prompting organizations to adapt and strengthen cybersecurity measures. Immediate responses are necessary to protect against evolving tactics by cyber adversaries. Establishing incident response plans, conducting regular drills, and refining strategies based on emerging threat intelligence are important components of a proactive cybersecurity posture, enabling quick identification and containment of threats.