Hospitals are being suffocated by robocalls

Medical staff are being overwhelmed by a new type of health crisis: “a wave of thousands of robocalls that spread like a virus… from one phone line to the next, disrupting communications for hours,” the Washington Post reports.

This is nothing new. According to the spam-call blocker company YouMail, there were an estimated 4.7 billion robocalls placed in the month of May alone.

But it’s reaching a feverish pitch at the organizations for which it’s far more than an annoyance – rather, as hospital cybersecurity chiefs tell it, it’s a question of life and death. Spearphishers are placing spam calls to patients – using numbers spoofed to look like they’re coming from legitimate healthcare organizations and pretending to be hospital representatives – and trying to get insurance or other payment information out of their targets.

Spam callers are also spoofing hospital phone numbers to place calls to hospitals that look for all the world like the calls were placed internally. Answering those calls takes precious time out of the day that should be dedicated to saving people’s lives and to medical research.

A third type of nuisance call is coming from spearphishers who pose as employees at government agencies and demand to speak to a specific, named physician as they try to finagle confidential information out of the doctors, such as medical license numbers and Drug Enforcement Agency (DEA) numbers – information with which fraudsters can illegally procure drugs to then sell on the black market.

Dave Summitt, the CISO of one such besieged hospital, the H. Lee Moffitt Cancer Center and Research Institute in Tampa, Florida, testified in April 2019 in front of the House of Representatives about how overwhelmed healthcare organizations have become by the scourge.

90 days, 6,600 spoofed calls, 65 wasted hours

Summitt said that over the course of the 90 days that led up to his testimony, over 6,600 calls spoofed to look like internal numbers were answered by staff at Moffitt, which is the third busiest stand-alone cancer hospital in the US.

During a 30-day period, hospital staff answered more than 300 calls that looked like they were coming from the Washington DC area, with half claiming to be from a federal agency. Caller ID identified some of them as coming from the US Department of Justice (DOJ). When Moffitt staff answered, the callers said they were DOJ employees… and then demanded to speak with a specific, named physician about an urgent problem affecting his or her medical license number and DEA number.

Those malicious and/or fraudulent calls tied up hospital staff for 65 hours, Summitt said.

You probably, and I for sure, complain about robocalls and spam calls and how the US government has failed to pass a single law on robocalls. Summitt said that he’s in the same boat: on his personal cell phone, he has 45 blocked numbers entered just in the last 90 days.

Not to minimize the frustration that entails for all of us, but the problem rises to a much higher level than mere annoyance when we’re talking about healthcare organizations, he said.

These attempts occurred over several weeks and involved numerous care providers. These calls can be quite disturbing and disruptive, and we, along with other organizations have to manage them on a daily basis.

The Washington Post mentioned another hospital, Boston’s Tufts Medical Center, where more than 4,500 nuisance calls came in between about 9:30 and 11:30 a.m. on one single day, 30 April 2018, according to CISO Taylor Lehmann.

Many of the messages seemed to be the same: Speaking in Mandarin, an unknown voice threatened deportation unless the person who picked up the phone provided their personal information. Lehmann said that while scams trying to scare foreigners into giving up their private data are a known phenomenon, this attack was particularly disturbing given that it targeted Tufts – a hospital located in Boston’s Chinatown.

Are carriers dropping the ball?

What are carriers doing to help save the hospitals? Not much, if anecdotal evidence is any guide. Lehmann said that Tufts’ telecom carrier, Windstream, told them that “There’s nothing we [can] do.”

For its part, Windstream blames Tufts’ outdated phone technology. The Washington Post quoted Thomas Whitehead, the company’s VP of federal government affairs:

We do have a call-blocking solution we offer. We just couldn’t offer it on their system.

The Post reports that one year later, Windstream said it was still “following up” with Tufts.

Similarly, the Moffitt Cancer Center has experienced what Summitt finds a baffling lack of response from its own telecom carrier, which the Washington Post identified as CenturyLink. During the incident with the spoofed DOJ calls, Summitt said that the carrier told him that the hospital would need to get more robocalls to file a complaint. The targeted organization needs to receive between 20 to 25 calls within a 72-hour window to make that happen, he was told.

When Moffitt tried to find out who was behind the spoofed calls that were using the hospital’s own number, the carrier wouldn’t give out the source of the calls – not without a subpoena, according to Summitt.

CenturyLink said that it’s not so: a spokeswoman told the Washington Post that it’s “not our policy and must have been a miscommunication” that someone told Moffitt that it couldn’t block certain numbers unless it had received more calls:

Our fraud management team worked closely with Moffitt to identify illegal robocalls, trace them back to their source and ultimately block them. We will continue to do our part to fight unlawful calls.

Are the robocallers being protected more than the hospitals?

Something’s wrong when hospitals are beholden to obey laws about protecting patient privacy, while those who make forged calls have their own privacy shielded, Summitt told Congress:

I am rather astonished that others can use our owned phone number range, fraudulently represent our organization, and we have no recourse other than court order. There should be provisions made that when a company is actively investigating a suspected fraud or information security breach, they should have cooperation from the carrier. Our health care regulations require us to protect patient privacy and safety, yet it seems bad actors are more easily protected from privacy than those already covered under regulatory requirements.

How do we get robocalls to die, die, die?!

In May 2019, the US Senate passed an anti-robocalling bill. It’s still waiting for the House to take it up, which the House might not do, given that it’s working on its own version, the Stopping Bad Robocalls Act (HR 946). That House bill was introduced by Rep. Frank Pallone Jr., the chairman of the Energy and Commerce Committee.

Whichever bill – if either – gets passed and signed into law by the president, it will still take months to implement the technology that’s supposed to fix this problem.

What will also take months: fixes from the top telecoms that would label a call if it’s likely to be spam.

Meanwhile, the Federal Communications Commission (FCC) has been stepping up efforts to track down, and fine, scammers.

The FCC is fully aware of how the healthcare industry is being negatively affected by these calls. When it issued a $120 million fine against Adrian Abramovich – a Florida man known as the “robocall kingpin”  – it cited millions of calls Abramovich robo-placed that drowned out operations of an emergency medical paging provider:

By overloading this paging network, Mr. Abramovich could have delayed vital medical care, making the difference between a patient’s life and death.