We’re all familiar with what a technical hacker is. They sit behind a computer somewhere planning their strike on an unsuspecting healthcare company. Healthcare is a prime target for technical hackers. However, a more subtle threat exists: social engineering.
Social engineers are experts at reading and manipulating people. They rely on trickery, wit, and charm to break into otherwise secure systems. They exploit the weakest link in the security chain: humans. Social engineering is a security threat healthcare staff may be least familiar with. So, what does it look like? How do social engineers manipulate people and gain access to secure systems? Let’s look at an example of how social engineering might play out.
Suzy, a clinic manager, lists her workplace on her personal Facebook page. She hasn’t enabled privacy features, so her personal profile is visible to the public. She hasn’t given a second thought to the connection between her public profile and her clinic.
George is a social engineer. He knows that medical personally identifiable information will fetch a fantastic price. So, George is on the hunt for a healthcare employee to exploit. He sees on Suzy’s profile that she works at a medical clinic. He also sees Suzy’s post that she’s on vacation in the Bahamas.
George calls the clinic, and Patti answers. He asks to speak to Suzy. Patti replies that she is away from the clinic and asks if she can be of any help. George laughs, pretending he forgot, and tells Patti he’s jealous that Suzy’s in the Bahamas while they’re stuck at work. His “insider” information and familiar way of speaking causes Patti to trust George.
Now that George has Patti’s trust, he tells her that he’s been working with Suzy on quoting a new server for the clinic. He doesn’t know if they have a server or if they use an electronic medical record (EMR). However, if they don’t, he can spin a story about how Suzy is looking to get a server to support an EMR. Social engineers are con artists. They can spin a story until they get what they want or hit a roadblock and move on to an easier target.
Patti tells George they have a server in the office. He asks her to grab some information that he forgot to get from Suzy. Patti places George on hold and collects the information he needs to remotely access the server. Now that he has access to the server, George can infect it with malware and steal the clinic’s information.
The Real Story
This isn’t only a story. It recently happened in a health clinic. The clinic had a solid contingency plan in place and was able to recover all but a day’s worth of data. However, the clinic lost thousands of dollars of lost work and lost medical data that could cause patient harm. Furthermore, the clinic also had to bear the cost of a new server and data restoration.
This can happen to your organization, even if you have policies and procedures in place. As organizations ramp up technical security, hackers are exploiting humans instead. Social engineering is difficult to detect, as social engineers know how to manipulate perceptions.
How to Prevent Social Engineering
In the story above, Patti could have prevented the hack. She should have asked for George’s contact information and had Suzy contact him when she returned. Patti could’ve asked Suzy’s supervisor if she could share information with George.
So, how can you prevent a social engineering hack? First, employees must understand the risk their personal social media pages can pose to their workplace. Inform them about the dangers of sharing too much on social media. Second, conduct a risk analysis to determine your areas of vulnerability. Third, create and implement a social media policy. A policy should include employee accounts and any references to your organization. Fourth, send periodic security reminders as part of your compliance training program. This will reinforce anti-phishing procedures and help staff avoid exploitation.
To help you create a culture of security compliance, the HIPAAtrek platform sends automatic reminders to your entire team about password management, login monitoring, and malicious software. Contact us to learn more about how HIPAAtrek can help you simplify your HIPAA compliance program.