Cyber Criminals are Targeting Telemedicine Visits

It’s NO surprise that cybercriminals are looking for opportunities to exploit the COVID-19 crisis. One area that has caught their attention is the sudden shift from delivering care within a secure corporate IT environment to one that is a residential grade network. As provider groups and hospitals begin to tout their ability to deliver virtual care, it is also letting the criminals know who is now working from home. They are developing tactics to breach home networks hoping to grab sensitive protected health information (PHI).

Who are the culprits?

As you may know, there are several creepy websites known as “people finder sites” that will provide hackers with comprehensive, sensitive information on just about anyone in the world. One of the more well-known sites is called peoplefinder.com. All you need is a first and last name and their state of residence, and it can usually narrow the person down to just a handful of matches.It will then show you additional information to help you make your match, such as their place of employment, or where they went to medical school, which is matched with the physician’s on-line bio to confirm the target. The website will then comb through all the major public databases and organize a report on the individual down to their home address and the names of their spouses, next of kin, and even their children. It will show their place of employment, tax records, criminal records, last known addresses, and the types of automobiles they own. It is a shocking amount of personal information posted for everyone on the internet to see, especially the names of the family members who are usually the targets for exploiting the home network. We don’t expect our family members to have the same level of HIPAA training as we do in the medical field.

How does this happen?

Cybercriminals deploy a shrewd strategy known as “social engineering.” Once they identify their target, they first collect valuable information about their prey.For example, they see an advertisement for telemedicine. They may even schedule a telemedicine visit to see if they can pick up any clues when the physician comes on-line--things like the type of phone they use, the device, the type of telemedicine platform. They may even ask unsuspecting questions, such as,“Hi Doctor, where are you calling in from?” “How do you like your telemedicine platform?” “Which platform are you using?” “Any issues with your internet? Who is your carrier?” These questions may seem innocent, but to a hacker, they are clues for narrowing down their next move. Next, they may move to other sources of information they gathered from these creepy public websites. From here, they have identified your spouse. Next, they find your spouse on social media (Facebook). They can see your spouse is into gardening from the hobbies listed in their profile, so they send him/her a fake message inviting them to sign up for a newsletter offering free gardening tips.Or worse, they encourage your kid to download a game app infected with exploitable viruses.

The goal of “social engineering” is for the hacker to create a tactic that is personalized to the target.In some cases, they will even use emotion to throw off their victims.For example, they search your Facebook page or public records to look for recent deaths in the family. They will send you a fake email or message claiming they have an asset or funds they are trying to return to the deceased family member. Once the victim clicks on these links to sign up for whatever is offered, they will use this as a backdoor channel to gain access to the home network. Then, they will look to find other users to exploit, such as the provider conducting a virtual visit.

These are corrupt individuals who will use anything imaginable to trick their victims, including deceased relatives.

It is also not just home networks that are under attack. They are also exploiting the telemedicine platforms. Zoom, one of the more popular platforms for video conferencing, was recently exploited.

What should we do?

If you are using your home to conduct official office work, where PHI is involved, it MUST be treated as an extension of the office where the devices in use come under the same management controls. Your IT department must immediately implement the same policies and set up the same managed IT services similar to the way they would operate in any office. (You now have a remote office.) While some of the HIPAA Privacy Sanctions and Penalties have relaxed their grip on your day-to-day operations because of COVID-19, the security components are more critical than ever.

Do not slow down your cybersecurity training or cut corners when it comes to securing your day-to-day operations.

Our security team has seen firsthand the increase in fraudulent activity across our managed environments. Unfortunately, because we are distracted by the current pandemic crisis, there is an undisputed uptick in opportunistic bad actors who are trying to achieve financial gain. The following list of additional tips to secure your home and business from targeted attacks applies to health system networks and physicians practicing telemedicine from remote locations.

• Immediately have all your providers opt-out of the people finder websites. This step takes time, but by law, they must give you the option to opt-out. (This project would be a good assignment for some of your non-essential workers.)
• Call a family meeting and tell EVERYONE to lock their social media accounts, such as Facebook, Instagram, Snapchat, and Tik-Tok, to the highest privacy settings, meaning only trusted people in their network can see their information.
• Explain social engineering to your children. This principle is something we need to be teaching regardless of the current situation.
• Turn off all your listening devices. You don’t need Alexa eavesdropping on your virtual visits.
• Consider unplugging non-essential internet of things devices. The "Internet of Things" (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
• Have your IT department administer a vulnerability scan on the home network to determine if any existing threats or vulnerabilities are lurking.
• Ensure all devices that connect to your home network have current firmware upgrades.
• Validate that your wireless access points have proper security protocols in place.
• Run email phishing campaigns for your organization. Ensure they are designed and templated around current frauds. It is now is more important than ever to guard against this vulnerability, such as templates regarding deposits for individual stimulus payments.
• Confirm with your current IT specialist that your workstation has proper security tools installed to mimic security protocols a firewall would enforce if you were at your office.
• Do an audit of your financial accounts and email accounts and confirm they all have multifactor authentication enforced.
• If you are remoting back into your office, is this connection secure? Are you using current best practices and not using an open port, for instance?

If your practice lacks these capabilities, there are many firms, such as the Coker Group, that can help. Our IT team can quickly implement the top-tier security protocols for home networks at a low cost to help you secure your home offices.

Contact us today for more information on cybersecurity best practices to ensure you have a secure home working environment.