Illegal robocalls are more than annoying, they often involve fraudulent schemes. These calls can be particularly pernicious when made to hospitals or health facilities. Hospitals face a wide range of illegal robocalls, including telephone denial of service attacks and targeted social engineering and phishing schemes, as well as unsolicited telemarketing calls. These calls disrupt critical communications, invade the privacy of workers and patients, divert hospital resources and can lead to security breaches or fraudulent prescriptions. For example, a bad actor may call a patient’s room to pretend to be a Medicaid or Medicare representative, or they may call and try to obtain credentials to access the hospital’s computer system to launch a ransomware attack, which have been increasing at hospitals.
As part of major legislation enacted at the end of 2019 to combat illegal robocalls, Congress established a federal advisory committee to recommend best practices to mitigate illegal calls to hospitals and health facilities. The committee recently released its best practices report, which can be found here. The report includes recommendations that hospitals, their voice service providers and government agencies can take to prevent illegal calls from reaching hospitals as well as steps to take when under a concerted attack and in its aftermath. To optimize the efficacy of these best practices, these stakeholders should coordinate their efforts. Following are some of the key recommendations.
To prevent illegal calls from reaching hospitals in the first instance:
- Telephone companies should adopt robocall mitigation technologies and programs such as verifying the accuracy of phone numbers, vetting their customers to weed out bad actors before beginning to provide them service, monitoring their networks to identify illegal calling campaigns, offering call blocking and labeling programs to their hospital clients, and providing education and guidance on appropriate mitigation steps.
- Hospitals should train staff who answer phones to identify illegal calls and the type of call information they should gather (such as the time of the call, the number showing up in caller ID, and the content of the message) to help catch perpetrators; encourage internal staff to report robocalls; develop processes and plans to work with their service providers and law enforcement agencies; and consider participating in threat intelligence and sharing organizations.
- Federal and state agencies should provide information and guidance to hospitals on how to better protect themselves from illegal incoming calls, but also on steps to take if a bad actor fakes calling from a hospital number (called spoofing), as well as ways to address the accidental blocking or mislabeling of outbound hospital calls.
The report also identifies a number of steps that can be taken during an event and in its aftermath. For hospitals, the report’s recommendations include: identify how many of the hospital’s phones are being called; work with the hospital’s telephone provider to identify the telephone company that sent the calls (this can help trace the call back to the person or entity that made the call—a call may transit many telephone carriers before reaching the hospital); work with internal IT staff to optimize configuration of the phone system to minimize the scope of attacks; determine when to contact law enforcement, for example, when the calls seek to steal personal or health information, and then follow up; train staff to never engage with the caller but hang up immediately; and retain call logs and IP logs where available.
The report concludes that, although completely eliminating illegal robocalls may not be possible, taking reasonable steps to prevent, recognize and respond to such calls can help reduce their harmful effects.
This document is intended to provide you with general information regarding best practices to mitigate illegal robocalls to hospitals. The contents of this document are not intended to provide specific legal advice. If you have any questions about the contents of this document or if you need legal advice as to an issue, please contact the attorneys listed or your regular Brownstein Hyatt Farber Schreck, LLP attorney. This communication may be considered advertising in some jurisdictions.