Advisory issued by FBI and HHS warns of cyberthreat actors targeting health care for theft of payments

The FBI and Department of Health and Human Services issued an advisory on June 24 regarding cyberthreat actors targeting healthcare organizations in an attempt to steal payments. These agencies have recommended mitigation efforts to help reduce the likelihood of these attacks impacting organizations. One common tactic used by threat actors is phishing, where they gain access to employees’ email accounts and then target login information related to processing reimbursement payments to insurance companies, Medicare, or similar entities. In some cases, threat actors have even posed as employees calling an organization’s IT help desk to trigger a password reset for an employee’s account.

The American Hospital Association (AHA) was first alerted to this type of scheme in January, and HHS issued a similar advisory in April. John Riggi, AHA’s national advisor for cybersecurity and risk, emphasized the serious nature of these social engineering schemes that utilize stolen employee information for password resets and enrolling new devices for multi-factor authentication codes. In addition to the recommended mitigations, healthcare organizations are advised to conduct social engineering tests on their help desk functions and implement multi-person authentication for any changes to payment instructions at the organizational level. Payers should also be informed of these requirements.

As the Fourth of July holiday approaches, it is important to be aware that cyber adversaries tend to target healthcare organizations more aggressively during holidays. Maintaining vigilance and ensuring staff are aware of cyber threats is essential for a safe holiday season. For more information on cyber and risk issues, you can contact John Riggi at jriggi@aha.org. You can also visit www.aha.org/cybersecurity for the latest information and resources on cyber and risk threats.