The Federal Bureau of Investigation in September warned that it has received multiple reports of cybercriminals increasingly targeting health care payment processors to redirect payments to themselves. Typically, this involves a cybercriminal obtaining employees’ publicly-available personal identifiable information and other data to impersonate victims and gain access to files, health care portals, payment information, and websites to then redirect payments to the cybercriminal’s bank account.
“The FBI issues these warnings regularly, so it is not surprising,” said Paul Hales, a HIPAA compliance attorney based in St. Louis, Missouri. “The payment processor is to blame, but not solely. It is both. Medical practices must follow HIPAA rules for hiring payment processing business associates.”
From June 2018 to January 2019, cybercriminals targeted and accessed at least 65 health care payment processors throughout the United States to replace legitimate customer banking and contact information with accounts controlled by the cybercriminals, according to the FBI. One victim reported a loss of approximately $1.5 million.
In February 2022, a cybercriminal obtained credentials from a major health care company and changed direct deposit banking information from a hospital to a consumer checking account belonging to the cybercriminal, resulting in a $3.1 million loss. In April 2022, a health care company with more than 175 medical providers discovered that a cybercriminal posing as an employee had changed Automated Clearing House instructions of one of their payment processing vendors to direct payments to the cybercriminal rather than the intended providers.
Health care payment processors are HIPAA business associates and must comply with the HIPAA rules governing their interconnected relationship with medical practices and how each uses and discloses protected health information.
The FBI recommends all medical practices ensure antivirus software and anti-malware are enabled and security protocols are updated regularly. It also recommends conducting regular network security assessments to stay up to date on compliance standards and regulations. These types of security checks should include performing penetration tests and vulnerability scans. Practices should create protocols for employees to report suspicious emails, and changes to email exchange server configurations. The FDA also recommended that any direct request for account actions “needs to be verified through the appropriate, previously established channels before a request is sanctioned.”
Medical practices are being told to train all their employees on how to identify and report phishing, social engineering, and spoofing attempts. Some practices may want to consider pursuing options in authentication or barrier layers to decrease or eliminate the viability of phishing.
“Risk analysis is fundamental to HIPAA compliance. Federal auditors found over 80% of business associates failed this Security Rule requirement. Physician due diligence is essential before engaging a business associate,” Hales said. “And they must have an updated business associate agreement in place.”
Physicians may want to work with their legal counsel to protect against business associate negligence. Cyber insurance and risk-shifting contract language are prospective defensive measures, Hales said.
Another approach would be to use hard tokens that permit access to software and verify identity with a physical device instead of authentication codes.
“This kind of token allows software access through verification of a physical device rather than codes or passwords. Although cost can be a concern for using hard tokens compared with other authentication types, such as SMS authentications, hard tokens have an advantage in protecting confidential data,” said cybersecurity specialist Soumitra Bhuyan, PhD, an associate professor at Rutgers University in New Brunswick, New Jersey.
The individual with the hard token needs to be present to access data. Consequently, systems based on hard tokens are difficult to breach remotely. However, hard tokens come with some limitations. They are costly for a large organization to implement and, with any physical devices, they can be lost, Dr Bhuyan said.
Steve Akers, Chief Security Officer for TECH LOCK, a division of Clearwater that provides managed threat detection and response services, said the reason health care payment processors now are under attack is because they are the lowest hanging fruit. “Hitting the supply chain, or in the case of [health care business associates], has proven to be a more lucrative path than targeting the bigger companies, as they typically have fewer resources and less investment in cybersecurity but may have access to many of the same data sets,” Akers said.
One way to mitigate vulnerabilities related to third-party vendors may be to put special alerts with email banners warning employees of communications originating outside of the organization. It is also suggested that all medical practices require a special verification of any changes to existing invoices, bank deposits, and contact information for interactions with third-party vendors and organizational collaborations.
A hard token could be a special USB stick that must be plugged into the computer or it could be some personal aspect, such as fingerprints or face identification, said Stuart Madnick, PhD, of the Massachusetts Institute of Technology in Boston, where he is the John Norris Maguire Professor of Information Technology in the Sloan School of Management and Professor of Information Technology and Engineering Systems in the School of Engineering. “All of these make it much harder for a hacker to break into your account even if he or she has stolen your ID and password,” Dr Madnick said. “In highly secure situations, such as the CIA, hard tokens are probably widely used. But for the average doctor, it is one additional thing you need to carry around and secure.”
Cybersecurity specialists agree no method is 100% fool-proof. There is always a way that a determined attacker can get through. “We promote the need for resilience,” Dr Madnick said. “If the attacker gets in, how do you minimize the amount of damage that can be done? For example, keep the data encrypted, so even if stolen, it is useless to the hacker.”