Hospital Heist Provides Fraud LessonPay Attention to Risks to Financial Data
HIPAA Omnibus Rule compliance has healthcare organizations immersed in efforts to safeguard clinical information. Despite the long list of chores they must accomplish by the rule's Sept. 23 enforcement deadline, hospitals, clinics and others can't lose sight of protecting financial data as well.
That's an expensive lesson that's being learned by Cascade Medical Center, in Leavenworth, Wash. Cybercriminals recently stole more than $1 million from a county hospital that's part of Cascade. The complex scheme is suspected to have involved hacking into the medical center's accounting system, says Chelan County Treasurer David Griffiths.
There's a lot of information at healthcare organizations that's valuable to sell and utilize for fraudulent billing and other criminal activity.
The cyberfraud is likely to have started through spear-phishing e-mails to Cascade employees who unknowingly turned over the keystrokes needed to access the medical center's accounting system, Griffiths suspects.
Account takeover is an ongoing challenge in the banking sector, which has experienced several high-profile cases with commercial customers over the past four years. But it's relatively rare in the healthcare arena, and there are immediate lessons to be learned.
This incident demonstrates why it's so important for healthcare organizations to educate their staff about good cybersecurity practices (watch out for phishing) in addition to basic HIPAA compliance training. And protecting financial data should be as big a priority as securing sensitive patient health data, especially because so many healthcare organizations are feeling the financial pinch.
Griffiths' office uncovered the scheme last week when it noticed anomalies in three payroll files that had been logged. But by then, more than $1 million worth of payroll transactions had been processed and deposited into the bank accounts of 96 "mules," Griffiths says. Those mules apparently were unwitting out-of-state workers enlisted by a scam company, which, in turn, allegedly siphoned off the fraudulent payroll deposits into its own pocket, Griffiths says.
Law enforcement authorities are investigating the incident, but there haven't been any arrests yet, he adds.
"We're just beginning to see this wave of cybercrimes and bad actors in healthcare," says Bill Fox, a principal at the consulting firm Booz Allen Hamilton. "We're going to start seeing major crime syndicates. There's a lot of information at healthcare organizations that's valuable to sell and utilize for fraudulent billing and other criminal activity."
The kind of financial fraud that hit the hospital in Washington state "is a crime of opportunity," he adds. "Whether vulnerability is internal or external, [cybercriminals] will find it."
Cybercrimes will become increasingly common in healthcare, Fox predicts. "As large financial services organizations spend lots of money to improve their security, mid-tier banks and healthcare organizations will be a growing target."
Griffiths sums up the growing threat this way: "This is really scary stuff." When it comes to data security, he says, "Hospitals are so focused on HIPAA, patient confidentiality and electronic medical information, but they can't forget about the back-end side of the operations."
Executives at Cascade Medical Center did not reply to a request for comment.
The good news in the incident, if any, is that Griffiths' office has been able to recover about $313,000 of the stolen payroll so far, and another $212,000 has been frozen by the banks, he says.
"Still, this will be a struggle in the end, with friends suing friends," Griffiths says.
So, how can other hospitals avoid falling victim to these kinds of scams?
Healthcare organizations of all sizes should pull together representatives of their business, clinical, technology and security departments to create "workgroups that discuss immediate issues at hand and emerging threats," Fox suggests.
To help protect financial as well as clinical information, cybersecurity expert David Kennedy, CEO of TrustedSec, stresses that organizations need to perform penetration testing and deploy monitoring and detection tools to identify potential problems.
"Small and mid-sized hospitals don't realize how easy it is for hackers to break into their systems," Kennedy says.