RISKS

What happened

On September 14, 2022, the Federal Bureau of Investigation (FBI) issued an alert about hackers targeting healthcare payment processors to route payments to attacker-owned bank accounts.

While this type of cybercrime is not new, the federal agency is warning of an increase in this type of attack, which has already cost healthcare companies $4.6 million this year alone.

The FBI says in February 2022, two separate cyberattacks were carried out by obtaining credentials from a “major healthcare company” and changing direct deposit banking information to route payments to an attacker-owned consumer checking account. The first incident resulted in a loss of $3.1 million. The second incident, from a different cybercriminal, resulted in a loss of approximately $700,000.

In April 2022, a cybercriminal was able to pose as an employee and change the Automated Clearing House (ACH) instructions of one of their processing vendors resulting in two transactions diverting approximately $840,000 before discovery.

The FBI says from June 2018 to January 2019, “cyber criminals targeted and accessed at least 65 healthcare payment processors throughout the United States to replace legitimate customer banking and contact information with accounts controlled by the cyber criminals. The cyber criminals used a combination of publicly available PII and phishing schemes to gain access to customer accounts. Entities involved in processing and distributing healthcare payments through processors remain vulnerable to exploitation via this method.”

Cyber criminals can gain access to compromised employee credentials through a multitude of techniques, such as phishing campaigns and social engineering, to spoof support centers and obtain user access.

In their alert, the FBI listed potential indicators of cyber criminals attempting to gain access to employee user accounts by:

  • Phishing emails, specifically targeting financial departments of healthcare payment processors.
  • Suspected social engineering attempts to obtain access to internal files and payment portals.
  • Unwarranted changes in email exchange server configuration and custom rules for specific accounts.
  • Requests for employees to reset both passwords and 2FA phone numbers within a short timeframe.
  • Employees reporting that they are locked out of payment processor accounts due to failed password recovery attempts.

 

Why is this important?

Users are the weakest link when it comes to cybersecurity and it only takes one user to put your system at risk.

 

What does this mean to me?

Normally, we write our own recommendations for mitigating the risks, but, this time, the FBI did it for us. Their recommendations included:

  • Ensure anti-virus and anti-malware is enabled and security protocols are updated regularly and in a timely manner. Well-maintained anti-virus and anti-malware software may prevent commonly used attacker tools.
  • Conduct regular network security assessments to stay up to date on compliance standards and regulations. These should include performing penetration tests and vulnerability scans to ensure the knowledge and level of current system and security protocols.
  • Implement training for employees on how to identify and report phishing, social engineering, and spoofing attempts. As budget constraints allow, consider options in authentication or barrier layers to decrease or eliminate the viability of phishing.
  • Advise all employees to exercise caution while revealing sensitive information such as login credentials through phone or web communications. Employees should conduct requests for sensitive information through approved secondary channels.
  • Use multi-factor authentication (MFA) for all accounts and login credentials to the extent possble. Viable choices such as hard tokens allow access to software and verifies identity with a physical device instead of authentication codes or passwords.
  • Update or draft an incident response plan (IRP), in accordance with Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.
  • Mitigate vulnerabilities related to third-party vendors. Outside communication exchanges should contain email banners to alert employees of communications originating outside of the organization. Review and understand the vendor’s risk threshold and what comprises a breach of service.
  • Verify and modify as needed contract renewals to include the inability to change both credentials and 2FA within the same timeframe to reduce further vulnerability exploitations.
  • Ensure company policies include verification of any changes to existing invoices, bank deposits, and contact information for interactions with third-party vendors and organizational collaborations. Any direct request for account actions needs to be verified through the appropriate, previously established channels before a request is sanctioned.
  • Create protocols for employees to report suspicious emails, changes to email exchange server configurations, denied password recovery attempts, and password resets including 2FA phone numbers within a short timeframe to IT and security departments for investigation.
  • Require all accounts with password logins (e.g., service account, admin accounts, an domain admin accounts) to have strong, unique passphrases. Passphrases should not be reused across multiple accounts or stored on the system where an adversary may have access. (Note: Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each administrative account.)
  • If there is evidence of system or network compromise, implement mandatory passphrase changes for all affected accounts.
  • Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.

 

 

APPROACHES

Helpful Controls

 

Commonality of attack

High

 

Article on story

FBI: Hackers steal millions from healthcare payment processors

 

 

HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program.

SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING