Hackers have been impersonating hospital revenue cycle workers and tricking IT staff into giving them log-in credentials to steal money from the health systems, the American Hospital Association warned.
As part of the so-called "social engineering scheme," presumably foreign-based cybercriminals steal the identities of revenue cycle employees or other finance staffers, calling IT help desks and correctly answering security questions, the AHA reported Jan. 12. They then request to reset their passwords and enroll new devices, getting full access to the employees' accounts and diverting payments to fraudulent bank accounts.
"This scheme once again demonstrates how our cyber adversaries are quickly evolving their tactics to defeat technological cyber defenses through social engineering schemes," said John Riggi, AHA's national advisor for cybersecurity and risk, in the article.
Mr. Riggi recommends at minimum calling back the employee requesting a new password or device at their number on record, and also contacting their supervisor. One large health system now requires that employees make these types of IT requests in person. Healthcare organizations that lose money in a scheme like this should contact their financial institution and the FBI's Internet Crime Complaint Center, or IC3.