Feds Warn of Credential Harvesting Threats in Healthcare – Source: www.databreachtoday.com

Anti-Phishing, DMARC
,
Fraud Management & Cybercrime
,
Social Engineering

HHS Says Tried-and-True Hacker Methods Can Compromise Patient Data, Safety

Marianne Kolbasuk McGee (HealthInfoSec) •
March 29, 2024    

Federal regulators are sounding an alarm to warn healthcare sector entities of cyberattacks involving a tried-and-true hacking method – credential harvesting, which can be used to compromise patient data, disrupt healthcare operations and enable other crimes.

See Also: The State of Organizations’ Security Posture as of Q1 2018

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center warns that credential harvesting attacks pose a wide assortment of potential data security and patient care safety issues for the healthcare sector.

“Credential harvesting poses a significant threat to the security and integrity of healthcare systems, potentially compromising patient confidentiality,” HHS HC3 said in an alert last week. “Credential harvesting is capable of disrupting normal operations, impeding the delivery of vital services and patient care,” the agency said.

Hospitals and other healthcare providers may experience downtime, inability to access critical patient data and disruptions in communication. These actions can lead to delays in appointments, procedures and administrative services. Harvested credentials also can be used to manipulate data in health-related systems.

Attackers can harvest credentials in many ways, including through phishing, keylogging, brute force attacks, person-in-the-middle attacks, and credential stuffing. “The goal is to convince a user to enter their login credentials into a malicious outlet, enabling the attacker access to the user’s account.”

Credential harvesting and its related attack methods are not new. But they have been implicated in several large recent cyber incidents involving health data.

Those include a credential stuffing attack on genetics testing firm 23andMe last year that potentially affected about 6.9 million of the company’s customers (see: 23andMe Says Hackers Stole Ancestry Data of 6.9M Users).

23andMe has said attackers accessed “a select number” of 23andMe accounts by using usernames and passwords that individuals used on 23andMe.com and also on other websites that were previously compromised. The company is also facing multiple proposed class action lawsuits in the wake of the incident.

Electronic health records vendor NextGen Healthcare is also facing at least a dozen proposed class action lawsuits for a health data breach discovered last April that affected 1 million individuals.

The company told regulators hackers gained unauthorized access to a database by using client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen (see: NextGen Facing a Dozen Lawsuits So Far Following Breach).

In December, New York State regulators smacked Healthplex, one of the largest dental administrators in the state, with a $400,000 fine for a 2021 incident involving credential harvesting. The attacker gained access to an employee email account containing 12 years’ worth of messages, including many that contained sensitive member information (see: Dental Plan Administrator Fined $400K for Phishing Breach).

A phishing email to the affected Healthplex worker contained a link directing the recipient to a credential harvesting website where users were instructed to enter a username and password to view a PDF file. The attacker obtained the login credentials to the email account when the employee took the phishing bait.

Last November, HHS HC3 warned that certain threat groups, including North Korean state-sponsored APT43, pose considerable concerns for the U.S. healthcare and public health sector and are considered moderately sophisticated in their ability to perform social engineering, spear-phishing, credential harvesting and spoofed personae (see: Chinese, North Korean Nation-State Groups Target Health Data).

HHS HC3 advises healthcare sector entities to implement a combination of technical controls, security measures and user awareness training to help mitigate the risks associated with credential harvesting.

That includes using multifactor authentication, email filtering and spam detection monitoring tools, and endpoint security solutions; keeping software and system patches up to date; and having comprehensive incident response plans to help minimize the impact of attacks on healthcare operations and patients.