Don’t let human hackers disorient your employees.
|By: Brand Barney|
A social engineer is basically a hacker that exploits workforce members (your employees). They use their charismatic personalities and wit to gain access to sensitive areas or data (like patient data and administrative credentials) that they shouldn’t have access to.
Social engineering often gets bypassed as part of a security strategy, because it’s not something that can be fixed through a new technology or a more secure password. The only way to protect against social engineering is employee training with frequent refreshers.
Get a great 2-minute summary on social engineering in a HIPAA-context by watching this video.
Personality traits of social engineersOne of the reasons social engineers are so successful is because of their personalities. Because they are trying to hack humans into telling them the information they want to know, they are expert flirters, charismatic suck-ups, and confident intimidators.
It takes only a few moments with an employee over the phone, via email, or in person to determine that they are not properly trained to protect the business and sensitive data against a social engineering attack. Then the social engineer flips the proverbial switch and the attack begins (charm, whit, questioning, leading the attackee, and more...)
SEE ALSO: 9 Ways to Social Engineer a Hospital
Social engineers act and look like they belong in whatever situation they find themselves in. They don’t suspiciously sneak around, they smile and greet employees in corridors. They don’t timidly ask front desk staff to lead them to the server room, they simply barge past the front desk like they already know their way. When things aren’t going their way, social engineers are great at intimidating employees to just give them what they want because of falsified time constraints or convenient name-dropping. With a little research, they will be able to answer questions, making it seem like they are supposed to be there.
Why is social engineering such a problem in healthcare?Social engineering is hard to identify, especially in larger organizations where workforce members don’t always know their fellow coworkers (especially everyone in IT, or janitorial, or maybe outsourced third party vendors). Here are some other reasons social engineers love healthcare employees:
- You are naturally trusting. Humans have an “innocent until proven guilty” type of tendency to naturally trust each other. They don’t question others because they don’t want to seem rude. Sometimes this trusting human quality is exactly what a social engineer needs to slip past a few employees who could have otherwise easily stopped him.
- You have a desire to be helpful. Good people look out for each other, especially in the healthcare environment. Why wouldn’t you help someone who has a quick question, or open the door for someone who forgot their ID badge? [Enter social engineer.]
- You don’t want to look stupid. If you work in a large healthcare environment, you probably don’t even know half the staff’s names, let alone what they look like, or where they should and shouldn’t have access. If a social engineer walked by you in scrubs, but without a badge, would you have the courage to stop and ask him for it? What if they looked and acted like a physician? What if they do have badge, and ID, scrubs, and they are walking out with equipment, like an iPad? Does that raise your suspicion? What about a laptop, or desktop? If you stop the “provider” and they say that IT told them to bring the computer down for troubleshooting because it could no longer connect remotely...what do you do? Most don’t say anything at all, because they don’t want to look stupid.
- You don’t want to get into trouble. Nobody wants to get in trouble with superiors because ID verification took too long, or you offended someone. Social engineers rely on natural human fear of getting in trouble when trying to access sensitive information.
- You cut corners. Be honest, sometimes we all get lazy. We don’t follow HIPAA security policies, our employee training, or the security tip we got in our inbox yesterday. We post passwords on sticky notes because it’s more convenient. We don’t wear our ID badge because we don’t like our picture, or we left our badge at home or in the car. We don’t worry about the semi-suspicious man we just passed in the hall because ‘someone else will worry about it.’
These ‘human flaws’ are some of the most challenging aspects when training employees on detecting social engineering. You are literally trying to train people out of the way they naturally think.
Examples of social engineers in healthcareLet me run through a couple social engineering scenarios that could easily happen, if it hasn’t already, in healthcare.
- Fake nurse. A social engineer purchases some scrubs online and creates a fake ID tag. She walks in and smiles at everyone. Nobody stops her at the front desk and she is able to mingle at the nurse’s station and pretends to text while really taking pictures of patient files without being questioned, she may even give less than secure passwords posted on sticky notes, or freely given out by others.
- IT poser. A social engineer flashes a fake ID tag at the front desk and says he’s here to fix an Internet problem. He says the hospital IT department sent him down. He is led to the router, no questions asked, and he’s able to install malware onto the entire healthcare network.
- Tailgating. A social engineer shows up at the employee entrance carrying an armful of donut boxes. A clueless but helpful employee holds the door open for him, and then follows him to the elevator to ask which floor he needs (all the while not even noticing he doesn’t have an employee badge).
- Threatening. A social engineer calls in, acting as the secretary of one of the hospital’s most important doctors. His boss is having problems accessing the system and he demands to know why. Acting rushed and annoyed, he demands access into the system.
- New hire. A social engineer sidles up to one of the staff members and says, “Hi! I’m a new hire here. Dr. Brown said I’d be able to shadow you today.” Now the social engineer gets a complete tour of the office with no questions asked. What information is he going to get on that tour?
How to defend against social engineersBecause social engineering is basically hacking a human, there’s no security mechanism or tool one could employ that would prevent this.
Employee training is truly the only way to defend against social engineers.Here are my recommendations for preventing a social engineer attack at your organization. In your social engineering policy, teach employees to:
- Not to be afraid of challenging strangers.
- Watch for questions that don’t match the person you’re talking to.
- Verify before trusting people at their word. If “Dr. Brown told me to….”, verify with Dr. Brown before giving them information.
- Not to be afraid to get the manager involved.
- Not to reveal organization or patient information unless they have verified the identify of the person and validity of the request.
- Not to use USB thumb drives they find around the premises, or anywhere for that matter. They might contain malware.
- Never to give out sensitive information over the phone, especially if they received (rather than placed) the call.
- Always wear their badge. If the ID badge policy is laid-back, all a social engineer would have to do is say they forgot their ID badge.
Lastly, and this goes for all things HIPAA, train your staff regularly. Get them excited about protecting PHI, rather than bored about regulation. Don’t let them fear the social engineer. Your staff are your greatest asset, and can help you protect your sensitive data and achieve your HIPAA compliance goals.
Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.