HHS, FBI issue phishing, ransomware attack advisory for providers

The federal government is warning providers and public health entities about certain types of cyber attacks and advising them not pay ransoms.

An advisory issued this week by the Health and Human Services Department and the FBI said criminals are using social engineering campaigns to target healthcare, public health entities and providers. Phishing schemes are being used to steal login credentials that give bad actors access to payment information. 

Read more: Why healthcare is a 'one-stop shop' for hackers

The FBI and HHS wrote in the advisory that paying hackers could “embolden adversaries" to target other organizations, encourage other criminal actors to engage in ransomware attacks and fund illicit activities. 

The advisory comes at a time when health system cybersecurity executives are looking at their biggest points of weakness in the aftermath of large-scale breaches such as those at St. Louis-based health system Ascension, UnitedHealth Group's Change Healthcare and Chicago-based Lurie Children's Hospital.

According to the advisory, “healthcare organizations are attractive targets for threat actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions.”

In 2023, the number of individuals affected by healthcare data breaches reached new highs, with an equivalent of 40% of the U.S. population having their information stolen or otherwise exposed.

The advisory reiterated guidance from the Homeland Security Department's Cybersecurity and Infrastructure Security Agency and National Institute of Standards and Technology that included implementing multi-factor authentication and training IT employees to identify potential vulnerabilities.