Shortly after our prior blog post discussing the need for healthcare entities to shore up protections against phishing attacks, the Department of Health and Human Services (HHS) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory (CSA) to alert members of the healthcare industry of indicators of compromise and tactics, techniques, and procedures used in phishing social engineering campaigns. This recent guidance underscores that phishing attacks have the attention of the FBI and HHS, and that health systems should proactively update their policies, procedures, and security to remain compliant with industry standards.
The Joint Advisory
While healthcare organizations may not have been among the very first cyberthreat targets, as repositories of uniquely sensitive information and data, they have become appealing targets. Their size, technological dependence, access to personal health information, and need to keep patient services operating smoothly all contribute to their appeal to threat actors.
The HHS and FBI found that threat actors use consistent techniques to gain unauthorized access to networks and issued the CSA to advise systems to be alert for certain threats. Specifically, threat actors have been using social engineering (using human interaction to compromise an organization) and phishing schemes to steal login credentials to gain access and then divert automated clearinghouse payments to bank accounts they control.
Commonly, threat actors impersonate organization employees and gain unauthorized access to the employee’s account by using the impersonated employees’ personally identifiable information to request passwords and resets from the organization’s IT Help Desk. After accessing the account, threat actors tend to “live off the land” by mimicking typical system and network behavior while discreetly launching their cyberattacks. Unlike traditional malware attacks, “living off the land” attacks are fileless—meaning they do not require the attacker to install any code or scripts within the target system; rather, the attacker uses tools that are already present in the environment.
Efforts to Mitigate Phishing
The FBI and HHS recommend organizations undertake efforts to improve cybersecurity strength based on common threat actors’ activity. Specifically, the FBI and HHS recommend implementing multi-factor authentication for every account to provide an extra layer of defense against social engineering–based attacks. The FBI and HHS further advise that multi-factor authentication bypasses should not be permitted by calling the Help Desk. They recommend additional training for IT Help Desk employees regarding social engineering related phishing attacks.
To help avoid such phishing attacks, the CSA provides some known phone numbers affiliated with phishing schemes to help organizations be more aware of potential bad actors, but notes that the use of technology indicates that the listed numbers are subject to change. Further, the CSA opines that organizations would benefit from directing their efforts to securing remote access tools, such as by auditing remote access tools on organization networks to identify currently used and/or authorized software, using security software to detect instances of remote access software being loaded only in memory, requiring remote access tools to be used only over virtual private networks, and blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
In addition to these mitigation measures, the FBI and HHS recommend and provide instructions for testing organizations’ security programs against threat behaviors outlined in the CSA.
How We Can Help
Morgan Lewis guides and provides counseling to businesses navigating data security threats and offers best practices solutions. Our Health Insurance Portability and Accountability Act and data-privacy lawyers stand ready to assist companies in navigating these complex issues.