FBI Sounds Alarm on Cyber Attacks Against Healthcare Payment Processors

Igor Gorlach
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On September 14, 2022, the Federal Bureau of Investigation (FBI) issued a Private Industry Notification (Notification) warning the industry regarding increasing cyber-attack activity against healthcare providers and payment processors. In the Notification, the FBI describes the escalation in attacks and resulting monetary losses and lists numerous recommendations for healthcare providers and payment processors to reduce the risk of compromise.

The Notification describes three incidents in 2022 in which cyber criminals obtained credentials to the systems of healthcare companies and used the credentials to divert transactions totaling between $700,000 and $3,100,000. The Notification also states that at least 65 healthcare payment processors in the U.S. were targeted by cyber criminals in 2018-2019 for purposes of replacing legitimate customer banking and contact information with accounts controlled by the cyber criminals. The cyber attacks involved a variety of methods and tools, including use of publicly available information, phishing schemes, social engineering, changes in email exchange server configuration, and requests for employees to reset both passwords and two-factor authentication (2FA) phone numbers within a short timeframe.

Based on the threat posed by these recent attacks, the FBI recommends the following mitigation measures, among others:

  • Ensure anti-virus and anti-malware is enabled and regularly updated.
  • Conduct regular network security assessments.
  • Implement training for employees on how to identify and report phishing, social engineering, and spoofing attempts.
  • Advise all employees to exercise caution while revealing sensitive information, such as login credentials, through phone or web communications.
  • Use multi-factor authentication for all accounts and login credentials.
  • Update or draft an incident response plan.
  • Mitigate vulnerabilities related to third-party vendors.
  • Verify and modify as needed contract renewals to include the inability to change both credentials and 2FA within the same timeframe.
  • Ensure company policies include verification of any changes to existing invoices, bank deposits, and contact information for interactions with third-party vendors and organizational collaborations.
  • Create protocols for employees to report privacy and security irregularities.
  • Require strong and unique passphrases.
  • Implement mandatory passphrase changes upon evidence of system or network compromise.
  • Apply timely patching.

In addition to the above, healthcare providers should consider using mock phishing emails for training, conducting table-top exercises for leadership, engaging external vendors for risk assessments, and spreading awareness of the elevated threat.

The Notification is available here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide