As the Fourth of July holiday approaches, healthcare organizations should be on high alert for cyber threats. This is because cyber adversaries tend to target these organizations more aggressively during holidays, according to a recent advisory issued by the FBI and Department of Health and Human Services (HHS) on June 24. The advisory cautioned against cyberthreat actors attempting to steal payments from healthcare organizations through social engineering schemes such as phishing.
One common tactic used by threat actors is phishing, where they gain access to employees’ email accounts and then target login information related to processing reimbursement payments to insurance companies, Medicare, or similar entities. In some cases, threat actors have even posed as employees calling an organization’s IT help desk to trigger a password reset for an employee’s account.
To reduce the likelihood of these attacks impacting organizations, HHS has recommended mitigation efforts such as conducting social engineering tests on help desk functions and implementing multi-person authentication for any changes to payment instructions at the organizational level. Payers should also be informed of these requirements.
The American Hospital Association (AHA) was first alerted to this type of scheme in January, and HHS issued a similar advisory in April. John Riggi, AHA’s national advisor for cybersecurity and risk, emphasized the serious nature of these social engineering schemes that utilize stolen employee information for password resets and enrolling new devices for multi-factor authentication codes. He advised healthcare organizations to maintain vigilance and ensure staff are aware of cyber threats during the holiday season.
For more information on cyber and risk issues, contact John Riggi at jriggi@aha.org or visit www.aha.org/cybersecurity for the latest information and resources on cyber and risk threats.
