HHS Alert: Cybersecurity Threats Targeting IT Support in Healthcare and Public Health Sector

The U.S. Department of Health and Human Services (HHS) has raised an alarm over an ongoing assault by cybercriminals targeting IT help desks in the Healthcare and Public Health (HPH) sector. These attackers, observed by the Health Sector Cybersecurity Coordination Center (HC3), wield sophisticated social engineering tactics to infiltrate the health sector’s defenses. Their strategy revolves around making phone calls to the IT help desk, pretending to be employees in financial roles. They cleverly manipulate the conversation by providing the last four digits of an employee’s social security number (SSN), corporate ID numbers, and other personal information, likely harvested from professional networking sites and through Open Source Intelligence (OSINT) techniques. By feigning a broken phone that can’t receive Multi-Factor Authentication (MFA) tokens, they trick help desk personnel into linking a new device for MFA, thus breaching the organization’s security.

Once inside, these cybercriminals don’t waste time. They quickly move to capture login credentials for websites related to payments, modifying Automated Clearing House (ACH) details to reroute payments to their U.S.-based bank accounts before eventually transferring these unlawful gains overseas. Adding insult to injury, they also impersonate high-ranking officials like the Chief Financial Officer (CFO) by creating similarly named domains and email accounts, deepening their deception.

In some instances, these threat actors have even employed artificial intelligence (AI) to clone voices, adding a layer of authenticity to their scams. This alarming tactic was highlighted in a global study cited in the alert, which found that 25% of respondents knew someone who had been duped by an AI voice cloning scam.

This campaign of deceit is not unique to the healthcare sector. A similar modus operandi was used in attacks against the hospitality and entertainment industry in September 2023, attributed to a notorious group known as Scattered Spider (or UNC3944). These attacks aimed at deploying the ALPHV (BlackCat) ransomware across targeted infrastructures, though UNC3944 has not yet targeted the health sector specifically.

To counter these threats, here are several recommended proactive measures:

  • Organizations should insist on calling back employees through their registered numbers for any requests related to password resets or new device enrollments.
  • Awareness against suspicious ACH modifications is crucial, as is the revalidation of all users accessing payment-related sites.
  • Require supervisory verification for such requests.
  • Develop comprehensive training programs for all staff, not just IT personnel. These programs should include regular updates on the latest social engineering tactics and practical exercises, such as mock phishing attempts, to test employees’ awareness.
  • Implement advanced security software solutions that include behavior analysis, anomaly detection, and threat intelligence feeds. This software can help identify unusual patterns that may indicate a breach attempt.
  • Enhance multi-factor authentication (MFA) protocols by incorporating biometric verification, such as fingerprint or facial recognition, which are harder for attackers to replicate.
  • Establish secure, encrypted communication channels for discussing sensitive information, and train employees to use these channels for all internal communications, especially when confirming identities or financial transactions.
  • Conduct regular security audits and penetration tests to identify and mitigate vulnerabilities within the organization’s network and systems.
  • Apply the principle of least privilege by ensuring that employees have access only to the information and resources that are necessary for their job functions.
  • Introduce more stringent verification procedures for employee requests that involve sensitive actions, such as changing bank account information or enrolling new devices. This could include multiple verification steps or the use of pre-agreed upon personal questions.
  • Run continuous awareness campaigns to keep cybersecurity at the forefront of employees’ minds. These could include newsletters, posters, and regular briefings on the latest cyber threats.
  • Establishing a partnership with a reputable cybersecurity firm is a crucial step for healthcare organizations aiming to fortify their defenses against sophisticated cyber threats. These firms specialize in a broad range of security services, including real-time monitoring, advanced threat detection, and incident response. By working closely with a cybersecurity firm, organizations can benefit in many ways.

About Purple Shield Security

Purple Shield Security stands out from the crowd of cyber security firms. Picture us as the guardians of your digital space, always on the lookout to protect your business from the newest cyber dangers. We’ve got a variety of services to help keep you safe, including Managed Cyber SecurityCyber Security Consulting, Risk Analysis, Defense Services, Incident Response, and even a virtual Chief Information Security Officer (vCISO).

Don’t put off making your business safer. Contact us now to see how Purple Shield Security can upgrade your cyber defenses.