In a just lately printed advisory concentrating on the well being care fee business, the FBI warns that cybercriminals are utilizing a cocktail of publicly out there personally identifiable info (PII) and social engineering methods to pose as victims and achieve entry to recordsdata. , healthcare portals, fee info and web sites.
Hundreds of thousands of {dollars} have been stolen from well being care corporations after fraudsters gained entry to buyer accounts and redirected funds.
With compromised login credentials for healthcare fee processors exploited, criminals divert funds to financial institution accounts underneath their very own management.
Because the FBI describes, in February 2022, a malicious hacker who gained entry to the accounts of a significant well being care firm succeeded in altering a hospital’s direct deposit financial institution info to that of the felony’s checking account, leading to resulted in a lack of $3.1 million. . In the identical month, one other cybercriminal used the identical technique to steal roughly $700,000 in a separate incident.
Then two months later, a healthcare firm with greater than 175 medical suppliers found {that a} cybercriminal posing as an worker had modified fee directions to direct funds, efficiently stealing $840,000 in two transactions earlier than being caught.
And the menace is clearly not new. From June 2018 to January 2019, the FBI studies, cybercriminals broke into at the very least 65 well being care fee processors in the USA and changed banking and call info of professional prospects with accounts managed by the criminals. One sufferer reported dropping roughly $1.5 million because of this.
Telltale indicators {that a} healthcare group could also be underneath assault embrace:
- Focused phishing emails, notably these directed on the monetary departments of healthcare fee processors.
- Social engineering makes an attempt to realize entry to inner recordsdata and fee portals.
- Unjustified adjustments to e-mail trade server settings and customized guidelines for particular accounts.
- Requests for workers to reset each passwords and 2FA telephone numbers inside a brief time frame.
- Staff reporting that they’re unable to entry fee processor accounts as a consequence of failed password restoration makes an attempt.
The FBI’s recommendation for organizations underneath assault will likely be acquainted to anybody liable for defending corporations outdoors of the healthcare business, nevertheless it bears repeating:
- Ensure your antivirus and different safety software program is stored updated and correctly configured.
- Often verify that your community safety complies with requirements and rules. Run vulnerability scans and penetration exams to assist with this.
- Practice employees on the right way to determine and report phishing and social engineering assaults. Think about choices to hinder the success price of phishing assaults, equivalent to multi-factor authentication. Have staff report suspicious emails, adjustments to e-mail trade server settings, denied password restoration makes an attempt, and password resets inside a brief time frame for investigation.
- Advise employees to watch out when disclosing delicate info (equivalent to login credentials) over the telephone or by way of the online.
- Write an incident response plan, in accordance with HIPAA privateness and safety guidelines.
- Mitigate vulnerabilities which may be associated to third-party distributors, evaluate and perceive vendor threat thresholds and what could represent a service violation, and alert staff when a communication originates outdoors the group.
- Implement firm insurance policies that require any adjustments to current invoices, financial institution deposits, and call info for interactions with third-party distributors to be correctly verified. Any direct request for account actions have to be verified by the suitable pre-established channels earlier than a request is sanctioned.
- Ensure all passwords are sturdy, distinctive passphrases that are not reused anyplace else.
- Following any potential system or community compromise, implement obligatory passphrase adjustments for all affected accounts.
- Apply patches on the proper time.
– FBI warns of criminals attacking healthcare payment processors