Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.
The Federal Bureau of Investigation (FBI) has issued two cybersecurity alerts to the healthcare industry in the last two weeks. The bureau first warned about the risks to patients posed by unpatched and legacy medical devices. Cyber attackers exploit medical device vulnerabilities and adversely impact a facility’s operational functions, patient safety, data confidentiality, and data integrity. These vulnerabilities predominantly stem from outdated device hardware and software. The newest alert warns that cybercriminals are using patient information to redirect healthcare billing, payment, and refunds away from the intended recipients into their own accounts.
These reports follow several other recent alerts by the FBI, including:
Millions Stolen From Healthcare Payment
In April this year, cybercriminals changed instructions to the Automated Clearing House to lead payments away from their intended destination into their own accounts. A cybercriminal, posing as an employee of the healthcare organization, changed the healthcare payment instructions away from the organization’s payment processing supplier. The criminals redirected $840,000 into other accounts before the problem was noticed and corrected by staff.
The FBI noted that in another incident, the attackers were able to redirect $3.1 million in healthcare payments meant for the victims into their accounts by changing the direct deposit information.
Cybercriminals Target Healthcare Billing
The FBI said that the criminals use various techniques, including phishing and social engineering, to trick support staff and get user access. Phishing is a form of social engineering where an attacker sends a fraudulent message designed to convince the recipient to reveal sensitive information. When phishing is successful, the attacker deploys malicious software to harm the recipient’s computer or, more often, the company’s infrastructure. In these cases, a single employee’s lack of awareness can unleash cascades of distressing and expensive damage. This trickery is also known as social engineering, whereby criminals orchestrate and take advantage of human error. They convince and trap innocent people into revealing information, allowing access to data, or spreading malware.
The FBI pointed out several indicators of compromise that could point to a problem. Aside from phishing emails alerting the recipient of a malicious, invented problem designed to convince the recipient to respond to messages that should be reported rather than acted upon. The FBI warns that organizations should be wary when messages involve healthcare billing processing companies’ financial departments. They also said that these cybercrimes are so successful that healthcare payment processors are likely to continue being targeted.
Ensuring Cyber Safety in Healthcare Payment Processing
Healthcare payment processing organizations should be alerted to reports involving failed access to payment processing. Access complaints should be flagged and investigated to uncover unexpected changes to email server configurations. Another suspicious activity to monitor is multiple requests for password changes.
The FBI suggested the following:
- All employees in the sector should receive training on security risks and prevention.
- Organizations should do regular cybersecurity audits and ensure that their virus protection is up to date.
- Companies must protect confidential and restricted information by setting up procedures that use approved channels, particularly for healthcare billing. All employees should know the risk of sharing sensitive information over the phone or the Internet.
- IT departments must respond quickly with patches when they discover vulnerabilities. This is the most cost-effective and efficient way to reduce cybersecurity threat exposure.
Companies must understand risks and strengthen policies related to healthcare billing and payment change requests. They are encouraged to increase vigilance verification about changes in contact information, invoices, and other healthcare payment information.
HIPAA Compliant Cybersecurity for Professionals
Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.
Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.
