AHA observes uptick in hospital IT help desk social engineering schemes

April 04, 2024 - UPDATE 4/4/2024 - This article has been updated to include information from an HC3 sector alert.

The American Hospital Association (AHA) has doubled down on its warning to the healthcare sector about hospital IT help desk social engineering schemes. The AHA released an alert on this topic in January, but has since observed continued targeting of hospital IT help desks, prompting it to release a second notification.

These schemes involve a threat actor using the stolen identities of revenue cycle employees or employees in other sensitive financial roles to call IT help desks and answer security questions posed by the help desk.

Next, the threat actor will request a password reset and may attempt to enroll a new device in order to receive multi-factor authentication (MFA) codes and gain access to the employee’s email account. Often, the new device will have a local area code, making it even more difficult to detect the scheme. This tactic allows threat actors to defeat MFA safeguards, including phishing-resistant MFA.

The threat actors then use the compromised employee email account to change payment instructions with payment processors and divert legitimate payments to fraudulent US bank accounts. What’s more, this access could enable threat actors to deliver malware across the network.

“The risk posed by this innovative and sophisticated scheme can be mitigated by ensuring strict IT help desk security protocols, which at a minimum require a call back to the number on record for the employee requesting password resets and enrollment of new devices,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “Organizations may also want to contact the supervisor on record of the employee making such a request.”

Riggi noted that one large health system now requires employees to make requests in person at the IT help desk to reduce risk.  

“This scheme once again demonstrates how our cyber adversaries are quickly evolving their tactics to defeat technological cyber defenses through social engineering schemes,” he continued.

Organizations that fall victim to this attack should notify their financial institutions and the Federal Bureau of Investigation (FBI) as soon as possible. Doing so within 72 hours of the payment diversion may help to recover the payments.

The HHS Health Sector Cybersecurity Coordination Center (HC3) issued a sector alert regarding this attack method and offered several mitigations, including requiring callbacks to the number on file for the employee in question. 

Sophisticated social engineering attacks remain a pervasive threat in healthcare, as exemplified by the ongoing targeting of hospital IT help desks. Even with strong MFA protocols in place, threat actors have still been able to trick their way into healthcare systems. Technical and administrative safeguards can help organizations prevent or mitigate the risk of these attacks.