Yet another advisory published by the FBI has been released warning the healthcare industry to be on high-alert against acts of cybercrime. In the advisory, the FBI warns that cybercriminals are using Personally Identifiable Information (PII) and social engineering techniques to impersonate victims and obtain access to files, healthcare portals, payment information and websites. It is reported that Millions of dollars have been stolen after attackers gained access to customer accounts and redirected payments.

With the login credentials for healthcare payment processors they acquire, the cybercriminals divert payments to bank accounts under their control.

In February 2022, a malicious actor gained access to accounts at a major healthcare company and managed to change direct deposit banking information from the hospital, to their own checking account. This attack resulted in a loss of $3.1 million. In the same month, a different cybercriminal used the same method to steal almost $700,000 in a separate incident.

Two months later, a healthcare company with over 175 medical providers discovered that a cybercriminal masquerading as an employee had also implemented a plan that redirected funds, which lead to the theft of $840,000 between two discovered transactions.

This is not a new threat. From June 2018 to January 2019, the FBI reports that cybercriminals have broken into at least 65 healthcare payment processors across the US and replaced legitimate customer banking and contact information with accounts controlled by the criminals. One victim of these attacks reported losing $1.5 million as a result.

Some red flags that might signal that a healthcare organization has been targeted include:

• Targeted phishing emails, in particular those targeting the financial departments of healthcare payment processors

• Social engineering attempts to obtain access to internal files and payment portals..

• Unwarranted changes in email exchange server configuration and custom rules for specific accounts

• Requests for employees to reset both passwords and 2FA phone numbers within a short timeframe.

• Employees reporting they are locked out of payment processor accounts due to failed password recovery attempts.

The advice the FBI advises is:

• Ensure that anti-virus and other security software is kept updated and configured appropriately.

• Check regularly that your network security is compliant with standards and regulations. Perform vulnerability scans and penetration tests to help with this.

• Train staff on how to identify and report phishing and social engineering attacks. Consider options to hamper the success rate of phishing attacks, such as multi-factor authentication. Have employees report suspicious emails, changes to email exchange server configurations, denied password recovery attempts, and password resets within a short timeframe for investigation.

• Advise staff to be cautious of revealing sensitive information (such as login credentials) over the phone of via the web.

• Write an incident response plan, in accordance with HIPAA privacy and security rules.

• Mitigate against vulnerabilities which may be related to third-party vendors, review and understand vendors’ risk thresholds and what may constitute a breach of service, and alert employees when a communication originates from outside the organization.

• Put company policies in place which require that any changes to existing invoices, bank deposits, and contact information for interactions with third-party vendors, be properly verified. Any direct request for account actions needs to be verified through the appropriate, previously established channels before a request is sanctioned.

• Ensure all passwords are strong, unique passphrases that are not reused anywhere else.

• In the wake of any possible system or network compromise, implement mandatory passphrase changes for all affected accounts.

• Apply patches in a timely fashion.

Story via Tripwire