As organizations level up their technology, hackers are leveling up their tactics – with a new target.
The American Hospital Association released a statement about a social engineering scheme where hackers pose as IT help desk personnel to steal information from revenue cycle workers or those in “sensitive financial roles.”
According to AHA, the threat actors will call IT help desks and use the “stolen personally identifiable information” of an employee to answer security questions. Hackers will then request a password reset and enroll a device, like a cell phone, into multi-factor authentication.
The cell phone will typically have a local area code, allowing the hacker to bypass pre-existing multiple-factor authentication to access the email and applications of the employee they’re impersonating.
Ransomware attacks have been the most common cyberattack, putting patient care for entire health systems at risk. In 2020, Oregon’s Sky Lakes Medical Center was forced to shut down all operations after a ransomware attack through a link an employee clicked in an email.
The medical center had to completely rebuild its network, director of information systems, John Gaede previously told HealthLeaders.
“We had to build backups and test them first to make sure they were clean, then run the [main systems] through tests to validate that they can work,” he said. “We didn’t want to start something up, have it [integrate] with another system and have everything fall apart.”
According to John Riggi, AHA’s national advisor for cybersecurity and risk, one health system now requires employees to make password and multi-factor authentication enrollment requests in person after becoming a victim to a social engineering scheme.
“The risk posed by this innovative and sophisticated scheme can be mitigated by ensuring strict IT help desk security protocols, which at a minimum require a call back to the number on record for the employee requesting password resets and enrollment of new devices,” Riggi said in a statement.
“Organizations may also want to contact the supervisor on record of the employee making such a request.”
Jasmyne Ray is the revenue cycle editor at HealthLeaders.