HRPG Issues Best Practices to Safeguard Hospitals
As we enter year two of the COVID-19 pandemic, our eyes are wide open to the urgent need for robust, reliable communications networks in all aspects of daily life and business. Through it all, malicious robocalls and cyberattacks have been a common threat, hitting hardest at the hardest-hit: healthcare providers and the people they (try to) serve.
For hospital systems and care facilities fighting a global pandemic on local, regional, and national levels, the onslaught of COVID-related spoofing and phishing has been unprecedented. Even worse, it can be debilitating to business operations, supply chains, and patient care.
During the pandemic, hospitals have been deluged with unlawful robocalls including telephone denial-of-service attacks, social engineering calls designed to steal sensitive information, as well as phishing/vishing schemes that rely on call ID spoofing to exploit victims.
In 2020, the Federal Trade Commission (FTC) received more than 2.2 million reports about fraud, with losses nearing $3.3 billion. Top of the list was imposter scams – from “government officials, to known officials and dear family members or friends.” COVID-19 and stimulus-related scams ranked high on the list.
In response, by December 2020, the Hospital Robocall Protection Group (HRPG), a federal advisory committee dedicated to combatting robocalls to hospitals, issued a special report recommending best practices that Communications Service Providers (CSPs), hospitals, and federal and state government can follow to prevent unlawful robocalls from disrupting communications in hospitals.
CSPs and regulators on the front lines with healthcare workers.
According to John Riggi, the American Hospital Association’s (AHA’s) senior advisor for cybersecurity and risk, “Robocalls can disrupt critical communications, threaten patient privacy, facilitate cyberattacks, result in unauthorized access to prescription drugs and divert hospital resources. Hospitals can greatly reduce the impact of these calls by educating staff, working with voice service providers and reporting incidents to federal and state regulatory and law enforcement authorities.”
Help fighting the robocall battle initially arrived when Congress passed the TRACED Act passed in 2019, giving the FCC broad authority and policy to combat malicious spoofing and spam robocalls and establishing mandates for industry to deploy STIR/SHAKEN and/or robocall mitigation.
At that time, Congress also directed the FCC to establish the HRPG. In their special report, the HRPG outlined suggestions for CSPs, government agencies, and even hospitals themselves to thwart robocalls. A summary follows.
Communications Service Providers (CSPs)
To better combat unlawful robocalls made to hospitals, the group suggests that CSPs serving hospitals take the following measures:
Prevention
- Implement STIR/SHAKEN on the IP portions of their networks
- Have appropriate procedures in place to ensure compliance with applicable laws
- Confirm the identity of and properly vet their customers
- Analyze, identify, and monitor traffic on their network for patterns consistent with unlawful robocalls
- Offer call blocking and call labeling services
- Provide materials and opportunities for education and guidance to hospitals
Response and Mitigation
- Prioritize hospital entities as appropriate in response and remediation efforts
- Establish a method to ensure hospitals can expeditiously notify the provider about unlawful robocalls that interfere with patient care and hospital operations
- Initiate tracebacks as appropriate
Hospitals
To better protect themselves from unlawful robocalls, hospitals should consider the following steps:
Prevention
- Engage in education and raise awareness regarding robocall incidents, including through staff training and preparing robocall incident response plans
- Explore available robocall blocking and labeling capabilities offered by voice service providers
- Manage telephone number resources, including by reporting spoofing of the hospital’s numbers and isolating critical phone lines
Response and Mitigation
- Evaluate a given robocall event and capture relevant information about the calling activity
- Contact internal engineers or technicians to implement immediate configuration changes and safeguards within premises-based equipment after an incident
- Coordinate with federal and state agencies as appropriate
Government agencies
To expand their efforts to prevent robocalls from reaching hospitals and other end users, federal and state agencies may want to consider taking the following actions:
Prevention
- Create and implement balanced policies that facilitate industry’s ability to prevent unlawful robocalls from reaching hospitals
- Enforce existing laws, rules, and policies against voice service providers that originate unlawful robocalls as well as those that fail to take sufficient steps to mitigate the transmission of such calls
- Develop clear and concise hospital education materials
Response and Mitigation
- Improve communication methods between hospitals and law enforcement agencies, and establish information sharing methods across all relevant enforcement agencies
- Actively monitor complaints from hospitals and engage in prompt outreach to providers and agencies who can assist in response
- Make prioritized referrals to the Industry Traceback Group and coordinate traceback response among law enforcement partners
In February of 2021, the HRPG’s recommendations were hailed as thoughtful and comprehensive by USTelecom. In feedback to the FCC, USTelecom assured the government that CSPs were in the fight and already implementing its recommendations.
USTelecom, who through the Industry Traceback Group (“ITG”) has seen firsthand the value of an integrated approach suggested the HRPG Best Practices be a model for any provider addressing illegal robocalls, not just hospitals.
Neustar’s portfolio of solutions supports the efforts of CSPs, hospitals, and government agencies to reduce robocalls and restore trust in the phone. Our robocall mitigation solutions work alongside STIR/SHAKEN call authentication to identify unauthorized and suspicious use of phone numbers and detect trends and anomalies in calling patterns for both originating and terminating calls. Visit our STIR/SHAKEN Resource Hub to learn about insights, resources, and solutions.