Mutare, in cooperation with the American Hospital Association and Numeracle, recently led a webinar for members of the American Hospital Association featuring key architects of the FCC’s Hospital Robocall Protection Group (HRPG) “best practices” report. In the program, John Riggi, AHA Senior Advisor for Cybersecurity and Risk, and Rebekah Johnson, Numeracle founder & CEO, discussed key insights about the specific vulnerabilities of hospital systems. While shedding light on the unique strategies exercised by criminal intruders specifically targeting hospital voice networks, hospital staff, and the patients they serve, the discussion also turned to actions healthcare organizations can take now to protect themselves from these growing threats.
Following are some of the key webinar takeaways.
TABLE OF CONTENTS
- The Formation of the Hospital Robocall Protection Group
- Cyber Attacks Targeting Hospitals
- The Role of Voice Service Providers
- Infographic: Hospital Robocall Protection
- Self-Protection Best Practices
- Arm Your Organization with Information & Insight
- When and How to Engage Outside Authorities
- For Further Information
The Formation of the Hospital Robocall Protection Group
The Hospital Robocall Protection Group (HRPG) was created by the Federal Communications Commission (FCC) in response to a directive from Congress via enactment of the 2019 Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act. Recognizing the growing danger of malicious spoofing and scam robocall intrusion for healthcare organizations and the publics they serve, the HRPG was charged with the task of analyzing the problem and then developing/disseminating their best practices report.
Members were selected from a diverse mix of organizations, including one member each from the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) plus members from the following six categories:
- Hospital representatives
- Voice service providers that serve hospitals
- Companies that focus on mitigating unlawful robocalls
- Consumer advocacy organizations
- Providers of one-way voice over internet protocol services
- State government officials focused on combating unlawful robocalls
Among the members is Rebekkah Johnson, CEO of Numeracle, who notes, “The fact that this group was established really highlights the severity of the challenges that hospitals are facing specifically with this issue of fraudulent robocalls. It speaks not only to the level of disruption these calls are creating but also relates directly to patient care and the ability of hospitals to provide that care.”
While advisory in nature, the output of the HRPG efforts has advanced the case for hospital voice network protection at many levels. Says Johnson, “We could have told the hospitals, ‘Here’s what you need to do – it’s your problem so solve it.’ But that’s not what happened. Working together with all of the players, we were able to bridge gaps and develop a plan that is not just another report but rather one that’s very actionable.”
Cyber Attacks Targeting Hospitals
In this segment of the webinar, FBI veteran John Riggi discussed the various and evolving forms of robocalls and voice scam attacks aimed at healthcare organizations.
As Riggi notes, not all robocalls are generated with criminal intent. For instance, telemarketers, political campaign groups and other legitimate organizations use robocall technology to deliver their messaging. And while disruptive, these calls are not necessarily illegal.
The true threat, though, comes from criminal callers who are exploiting the unique vulnerabilities of the healthcare environment with malicious intent or for financial gain. A hallmark of such callers is the use of spoofed phone numbers, meaning numbers that have been digitally manipulated in the Caller ID to mask the true source of the call and often appear to be from a trusted source. While the TRACED Act, through recently-enacted STIR/SHAKEN protocols, is designed to expose fraudulent calls by requiring carriers to attest to the legitimacy of the call source before passing the call along, it’s primary focus has been consumer protection. On its own, STIR/SHAKEN protocol enactment can do little to keep those calls from entering enterprise networks.
And that is particularly concerning for healthcare organizations. As noted in the HRPG report, what makes robocalls to hospitals uniquely damaging “is the impact they can have on the public health and safety of patients and the community.”
That, notes Riggi, is also what makes them so insidious.
Among the most concerning form of voice network assaults is the Telephone Denial of Service attack, or TDoS for short. In this scheme, the attacker uses a spoofed number or numbers and computer-generated dialing to overwhelm an organization’s phone lines with hundreds, if not thousands, of calls, effectively shutting down incoming and outgoing lines. For hospitals, the result could be disastrous. Such events are not only extremely disruptive to operations but also pose a true threat to public health as calls from patients and emergency responders fail to get through.
Often, notes Riggi, the goal is extortion. The assailant may even call ahead with a warning that the attack will begin unless a fee is paid. Because of the threat to public health and safety, this kind of activity is elevated to a crime of violence, which puts the perpetrators in a position of significant legal jeopardy. “That’s a warning to anybody thinking of this. The FBI and other agencies will come after you.”
Preying on the Vulnerable through Social Engineering
Another attack type often directed at hospitals, one that, according to Riggi is “especially despicable,” is scam calls targeting specific staff members or patients. Using information about the intended victim that has been harvested from online sources or stolen through cyber hacks, the caller attempts to impersonate a trusted source. When targeting a staff member, the goal is usually to gain access to hospital systems that provide personal information that can, in turn, be exploited for future scams. In these cases, the perpetrator may spoof an internal number and impersonate a colleague, such as a member of tech support. “They may tell the target that their password needs to be reset,” notes Riggi. “They may even have coordinated the call with an email stating the same intention to give it more legitimacy – that’s how sophisticated they are getting. And then they trick the target into revealing their username and password. From there they may be able to gain access to internal systems, even patient records, and that would be a huge issue for the hospital to deal with.”
When targeting a patient, the assailant, again using a spoofed number with fraudulent caller ID, may claim to be from the patient’s insurance carrier, pharmacy or other part of their provider network in order to con the victim out of their personally identifiable information, such as insurance plan number, social security number, or date of birth. Once that information has been provided, it can be used to perpetrate further fraud, including full on identity theft.
And while general awareness about such schemes is spreading, criminals are specifically exploiting the unique vulnerability and lowered defenses of hospital patients – an offense that, says Riggi, is “particularly heinous.”
The Role of Voice Service Providers
As mentioned earlier, most of these crimes are committed using spoofed telephone numbers to hide the caller identity and gain trust. When a criminal uses a spoofed number that appears to be from an individual’s hospital, that patient is more likely to answer and trust the caller. And, says Johnson, “There is nothing, absolutely nothing, a hospital can do to prevent someone from spoofing their number.”
And that, she notes, is where the FCC’s recently enacted STIR/SHAKEN caller verification system comes into play. As of June 30, major carriers across the nation have been mandated to submit a robocall mitigation plan. In most cases this involves the implementation of STIR/SHAKEN protocols against calls they agree to accept and pass along. This protocol is an attestation system used to analyze and verify through a confidence scoring system that the number that eventually appears on the caller ID of the call recipient is owned by the call source and not spoofed. In other words, notes Johnson, “It is removing anonymity from the voice network. It makes the carriers responsible for knowing who they are doing business with.”
Note that the system does not actually block those calls, but rather adds informational data about the call source that, when interpreted by the receiving carrier, can be used to flag those that have the markings of a spoofed ID. Some carriers may provide a “Suspected Scam” label to the Caller ID but will still pass the call through. Personal mobile phones can be set to silence any call flagged as possibly fraudulent. However, that is not a viable option for enterprise networks, such as for hospitals, that cannot take the chance of blocking what might be a legitimate call.
Nevertheless, the extra data provided through STIR/SHAKEN analysis and the new accountability the law demands of carriers to attest to the integrity of calls they are passing through may at least help curb fraudulent robocall activity.
“True, this does not solve all the problems for hospitals,” says Johnson. “We know there’s probably going to be some other strategy that the bad guys are going to use to try to get around it, but it’s a good start and hospitals should be aware that these strategies on the carrier side are being implemented.”
Hospital Robocall Protection
The Robocalls and Cyber Threats aimed at healthcare organizations are constantly evolving in regard to threat vectors, complexity and potential damage. Hospitals are a specific target due to unique vulnerabilities and the lowered defenses of caregivers, staff, and patients. Malicious robocall attacks in the form of TDoS (Telephone Denial of Service), and Social Engineering are escalating and garnering significant media attention.
Self-Protection Best Practices
According to Riggi, the most important thing hospitals can do right now is make staff aware of the types of criminal activity that may be directed at them through a voice call. “These calls are only successful if you give the bad guys the information they want,” he notes.
Train Staff to be Suspicious
What makes hospital employees uniquely vulnerable to psychological manipulation is the very quality that brought them to their profession in the first place – a desire to help others. “Clearly no one should be providing a password over the phone,” says Riggi. “They also should know that no government agency will ask for access to financial accounts or make any form of threat. But in reality, staff needs to be trained to respond to any request for sensitive information, whether by phone or email, with suspicion, even if the caller has data points that give them an air or credibility.”
Document Call Details
Once sensitized to the potential for phone fraud, staff should know to record any and all information related to a call that they sense is suspicious, such as date and time of call, the caller ID and called number, and whether the call was live or a recorded message.
Report to Appropriate Internal Departments
Next, the organization needs to have a formal process in place for reporting that information, whether it be to a chief security officer, IT department – “preferably both,” says Riggi. Depending on the nature of the call, IT administrators may need to contact their carrier to block future calls from that number. If criminal activity is suspected, it’s time to bring in law enforcement.
“A good template may be to start with your protocol for suspected HIPAA breaches,” notes Johnson. “While the suspect call many not, in fact, have resulted in a data breach, you can treat it with the already established protocols and reporting structure you have in place. I would suggest creating a grid that helps classify the nature of the call as nuisance vs. potentially criminal, so that you can more quickly recognize when patterns are emerging and additional actions required.”
In this way, adds Riggi, the hospital may be able to more quickly identify a coordinated criminal campaign that would warrant law enforcement intervention, and the sooner such activity is recognized and dealt with, the lesser the chance of damage to the organization.
Such damages, notes Riggi, not only include regulatory exposure but could also take shape as legal action against the institution. He explains that, should a fraudulent caller make his way to a patient and the patient actually betrays personal information, the hospital may be accountable to that patient for allowing the call through and, in fact, may be held liable if suspicious activity has been previously noted but no action taken. “So a clear reporting structure and action plan is necessary, not only for patient and staff protection, but there is an element of business risk that also needs to be considered.”
Arm Your Organization with Information & Insight
Know Your Network Structure
Internally, IT managers should have a clear understanding of their phone line hierarchy – know which lines are most critical, and then focus protective resources on those lines. Line segregation should be considered if not already part of the organization’s continuity of operations plan. While those plans are usually designed around natural disaster disruptions, they should also include actions by an adversary who’s deliberating trying to sabotage network operations.
Note that cybercriminals are also at work trying to infiltrate other IT systems. “We can no longer treat risks to each communication channel as separate and in its own silo,” says Riggi. “Your SMS security, email security, telephony security, they’re all related because the bad guys will leverage multiple channels as a way to accredit the veracity of their call.” And, he adds, now that Voice over Internet Protocol (VoIP) has become the standard delivery system for enterprise voice communications, that inter-operational structure between voice and data networks means that attacks that take down computer networks can also take down the phone system.
Make Monitoring a Priority
Regardless of security measures already in place, “It’s essential that the framework of how you implement a security plan for your organization includes continual monitoring of all network traffic,” notes Johnson. “You don’t just lock the door and walk away hoping no one will try to get in.” Applications from enterprise telecom solutions developers like Mutare may be applied for their monitoring capabilities as well as real-time analysis of voice traffic patterns that may reveal the emergence of a potential attack in its early stages so protective measures, such as traffic diversion to other lines, can be activated.
Clues in the Call Data
Such monitoring, adds Riggi, should be conducted with a clear understanding of what “normal” activity looks like in order to know when to respond to activity outside of the norm. For instance, a sudden high velocity of incoming calls could signal the start of a TDoS attack. Even prior to a full on attack, says Riggi, “There may be clues or hints buried in the data – what might be evidence of pre-attack reconnaissance surveillance. Network monitoring needs to be sensitive to signs of probing – isolated calls throughout the organization that, when recognized together, might be the precursor to a broader campaign.”
Know What’s Out There
To that point, information sharing is essential, not only within the organization but between organizations. “If the bad guys are involved in an illegal robocall campaign towards hospitals, chances are they’re also targeting other industries, so it’s extremely helpful to have information sharing channels open.”
One such channel suggested by Riggi is InfraGard (infragard.org). Sponsored by the FBI, InfraGard is a free, all-hazard information sharing platform that provides education, networking, and workshops to its membership on criminal activity that threatens the integrity of the nation’s critical infrastructure. The site also includes discussions of emerging technologies that can be used to combat those threats. “So you can be a hospital administrator talking to someone in financial services or energy and they can exchange threat intelligence or mitigation techniques that is also relevant to your organization. It is a great source that I highly recommend,” he says.
When and How to Engage Outside Authorities
In the portion of the webinar, the panel provided advice about law enforcement engagement when criminal activity on hospital voice networks is suspected.
Document the Impact
First of all, says Riggi, “It is incumbent on hospitals to be able to correctly identify the nature of suspicious calls or call campaigns – are they simply a nuisance or is the organization actually being victimized?” If the latter, “Then a very important next step is to be able to document the impact on care delivery. For example, you might say these calls came in and they tied up your nurses’ station lines, or you were trying to communicate with patients to tell them to come in for elective surgeries but couldn’t reach them. Or let’s suppose you have a very significant lab report to give to a patient and you can’t do that in a timely manner because your phone lines are unavailable. It makes a much more compelling case when you go to regulators or law enforcement with that kind of impact documentation.”
Know Who to Contact
While contacting the service provider is an obvious first step when dealing with a suspected telephone network attack, the organization’s incident reporting plan should also include names and contact information for trusted members of government or law enforcement who may be able to use their investigative authority to intervene. “You do not want to be in the midst of a crisis trying to figure out ‘Who do I talk to?’” notes Riggi. Ideally, that individual is personally known to the hospital’s security team or incident reporter and so can be trusted to treat the information with appropriate care that avoids tripping an unneeded regulatory audit or unwanted media exposure.
Once identified, those individuals and their contact information should be included in the organization’s incident response plan, and that plan should then be shared back with them.
Following any engagement, “Keep the conversation going so you know there has been appropriate follow-up,” Riggi adds.
While still in its infancy, another recently-formed group that will likely play an important role in robocall mitigation, according to Johnson, is the US Telecom Industry Traceback Group. The ITG is a nationwide consortium of wireless/wireline, cable, and VoIP providers that has, through the FCC, been granted the authority and tools to actively trace and identify sources of illegal robocalls and then hold accountable the carriers who are enabling them. Efforts to establish a reporting mechanism directly to the ITC are underway and will likely become part of most organization’s incidence response contacts in the near future.
Support from AHA
The American Hospital Association (AHA) is a good place to start for organizations looking for guidance and contacts to add to their incidence reporting plan.
To that point, adds Riggi, “For any hospital or healthcare entity experiencing any type of attack and looking for guidance, I make myself personally available, 24/7 at email@example.com.