As if hospitals around the U.S. don’t have enough to worry about in the midst of a pandemic, their everyday cybersecurity concerns, including their vulnerability to being targeted by robocallers or having their official phone numbers spoofed by scammers trying to defraud consumers, haven’t gone away.
As part of the recently passed TRACED Act, the Federal Communications Commission is required to put together a group which can recommend best practices for hospitals to combat robocalls, and for carriers to help protect them. FCC Chairman Ajit Pai announced the formation of the advisory committee, dubbed the Hospital Robocall Protection Group, yesterday. Nominations for membership are being accepted through May 1, with the first meeting expected in July.
“The idea that robocallers would clog up hospital phone lines with a flood of nuisance calls seems unthinkable, but it is a reality,” said Pai. “Health care facilities are critically important, especially in the face of the current pandemic, and the last thing they should have to worry about is receiving robocalls that distract from performing their mission— supporting the health and well-being of all Americans. By establishing the Hospital Robocall Protection Group, we’re focusing our efforts on the negative impacts robocalls can have on our health care system. I look forward to working with committee members to find ways to help those who help us.”
This isn’t a hypothetical situation. According to a Washington Post report from last June, Tufts Medical Center in Boston was besieged by thousands of robocalls one morning in 2018, registering more than 4,500 calls within two hours.
David Summit, who is chief information security officer for the H. Lee Moffitt Cancer Center and Research Institute in Tampa, Florida, testified before a House subcommittee last April, saying that he was representing hundreds of healthcare organizations which were experiencing the impact of such calls, or calls which try to deceive consumers by making it appear that their illegal scam calls are actually coming from a hospital.
“In our experience, this activity constitutes a serious threat to patient care, in addition to disrupting business operations and facilitating financial fraud. In recent months, many consumers, including some patients and their families, have been targeted by robocallers who use ‘spoofed’ numbers identical to the hospitals in an effort to gain sensitive information,” Summit told the committee. “Even more concerning is that this practice can jeopardize the line of communication between health providers and patients by casting doubt on the integrity of calls coming from the hospital or their care provider. What I bring to the committee is information that elevates this issue beyond the level of just an ‘annoyance’; these are outright fraudulent calls with malicious intent.”
He described three types of fraudulent calls that the hospital was experiencing: calls made to look like they are coming from with the organization that actually are coming from scammers; calls going out to individuals that have caller ID information to make it appear they are coming from the cancer center, and when people answer, someone identifies themselves as hospital personnel asking for insurance or payment information; or calls identifying themselves as a law enforcement or government entity asking to speak to a targeted individual.
Summit said during his testimony that the cancer center had received more than 6,600 of the first type of call within a 90-day period, which took up 65 hours of hospital employees’ response time; and more than 300 calls that appeared to come from Washington, D.C., with more than half from numbers that appears to represent a federal agency, of which some were fraudulent.
He described one example in which “the fraudulent calls that impacted Moffitt were identified as coming from the U.S. Department of Justice using a legitimate phone number. When our employees answered the phone, they were subjected to an urgent request by the caller, who self-identified as a DOJ employee. They demanded to speak with the named physician — and only that physician — and communicated an urgent problem affecting his medical license number and his Drug Enforcement Agency number. These attempts occurred over several weeks and involved numerous care providers. These calls can be quite disturbing and disruptive, and we, along with other organizations, have to manage them on a daily basis.”
Summit also said that the cancer center’s carrier had been unhelpful as Moffitt tried to get the calls to stop.
“During the aforementioned U.S. Dept of Justice event, the telecommunications carrier told us that we needed twenty to twenty-five calls within a 72 hour window before we could file a complaint with them. The carrier’s internal investigations group had defined this threshold independently [of] the impact it had on our operations. During a second incident, when we were investigating numerous malicious calls identified with our own organization’s number, the carrier would not give us the source of the calls and stated a subpoena would be necessary to obtain the information. I am rather astonished that others can use our owned phone number range, fraudulently represent our organization, and we have no recourse other than court order. There should be provisions made that when a company is actively investigating a suspected fraud or information security breach, they should have cooperation from the carrier,” he told the committee.
According to the TRACED Act, the Hospital Robocall Protection Group’s members can include hospitals; voice service providers who serve hospitals; companies which mitigate robocalls; providers of one-way voice-over-IP services for healthcare; state government officials who focus on combatting robocalls; consumer advocacy organizations; and it will include one member each from the FCC and Federal Trade Commission.
Within 180 days of being established, the group is required to publish best practices that cover how hospitals can better protect themselves from illegal robocalls and how federal and state governments can assist them in that effort. After those best practices are established, the FCC is required to put in motion a proceeding to “assess the extent to which the voluntary adoption of such best practices can be facilitated.”