AHA Warns of Attacks Targeting Hospital IT Help Desks

Hospital IT help desks have been the target of sophisticated social engineering schemes designed to enable payment fraud according to a warning issued by the American Hospital Association (AHA).

In the social engineering attack, the threat actors call an IT help desk and use stolen credentials from employees in financial roles to answer security questions. They then request a password reset and attempt to enroll a new device, such as a cell phone, to receive multi-factor authentication codes. The cell phones used in these scams often have local area codes. Once the hacker’s device is enrolled, the hacker can receive multi-factor authentication (MFA) notifications, defeating “phishing-resistant” MFA efforts. The info in the MFA notification is used to access employee email accounts and other applications. The attackers have reportedly used the compromised employee’s email account to change payment instructions with payment processors and divert legitimate payments to fraudulent U.S. bank accounts. It’s believed the attacks are foreign-based and the money is eventually moved out of the U.S.

Organizations that fall victim to any type of payment diversion scheme should immediately notify their financial institution and the FBI at www.ic3.gov, which can help recover the diverted payments if notification is made within 72 hours.

Defense Strategies

Some strategies the AHA highlighted for defending against attacks targeting hospital IT help desks include:

• Before granting any password reset or device enrollment requests, require the help desk to call the requesting employee at the number they have on record
• Require the requesting employee to appear at the help desk in person
• Contact the supervisor of the requesting employee

Employee Phishing Training

To prevent attacks targeting hospital IT help desks like these, employees must know how to protect their credentials. Require your entire staff to undergo cybersecurity training that includes information on spotting phishing attempts. Your employees need to be on the lookout for emails that contain:

• A Sending e-mail address that doesn’t match the company it’s coming from
• Suspicious hyperlinks or attachments
• An offer that’s too good to be true
• Language that’s urgent, alarming, or threatening
• Poorly written text that includes misspellings and bad grammar
• Greetings that are ambiguous or very generic
• Requests to send personal information
• Strange or abrupt business requests

CompliancePoint offers a suite of cybersecurity services designed for healthcare organizations. We can help your organization design and implement an effective cybersecurity program, obtain a HITRUST certification, and achieve HIPAA compliance. Contact us at connect@compliancepoint.com to learn more.