Your workforce members are your weakest link; here’s what you can do to help them.

Brand Barney, SecurityMetrics
By: Brand Barney
Want to know a secret? Most hackers are lazy. That means they’ll try to steal data in the easiest way possible.

People today think hackers always breach hospitals through incredibly complex hacks. In reality, hackers can steal data through non-technical methods like social engineering because it’s easier and takes less effort.

Social engineering is basically human hacking. A social engineer manipulates staff members into giving access to their computers, routers, or Wi-Fi, where the social engineer can then steal Protected Health Information (PHI) and/or install malware.
Generally, all you have to do to be a successful social engineer is be nice.
There are countless ways hospitals and even smaller covered entities can be socially engineered, but they all revolve around five big issues that most entities have:
  • Unaware staff
  • No policies regarding request verification
  • Lack of reporting suspicious people/situations
  • Minimal physical security
  • Lack of communication between departments.
Let me give you a few real scenarios:

1. The Dumpster Dive

social engineer
Sometimes hospitals don’t dispose of sensitive documents properly. Take a hospital with an offsite IT staff. If the hospital receives invoices and doesn’t shred them, a social engineer could go through that trash and find sensitive information about new hospital computers. Even better, he could find the names of the IT personnel that installed the new computers.

The social engineer’s conversation could go like this, “Hey, this is Brian over at Acme IT. I understand you guys had some computers installed by our employees. (He then lists the names he found on the invoice.) Well, they’re not with our company anymore, and we need to reinstall some software on those computers. Can I come down this afternoon?”

If the hospital gives him permission, he now has access to a computer where he can install malware, steal PHI, etc. Most organizations won’t bat an eye when they have contracted an outside entity to do their IT work; the only question they want to know is “how much is the work going to cost?”

2. The Changing Passwords

The social engineer finds the name of a staff member. She calls up the help desk and poses as a member of IT, “Hey, I’ve got so-and-so with me and she needs her username and password changed. She just stepped away from her desk, but she’s been having problems with the system.”

The help desk grants her request and she now has access to an employee’s new username and password, and can steal the hospital’s data.  This is a huge problem, but it can and does happen in organizations all the time especially if your help desk doesn’t have a solid policy for non face-to-face password resets, and if they get swamped. A little know how, a name drop here and there, and a smile on the phone and bang: the social engineer just convinced IT help desk to reset your password...

3. The Name-Drop

A social engineer goes up to a help desk, “Hi, my supervisor, Kent, has requested a change to a system in my department; it’s been having problems. I need to get on one of your computers.”

He’s in a big hospital, so the staff believes him, especially since he gives a supervisor’s name. The staff grants that request without a second thought. He has access to a computer that may have PHI and other data.

4. The Walk-In

The social engineer walks into the hospital, dressed up in a suit, looking very official. He picks up a patient record that’s lying on a desk and starts looking through it. Nobody stops or questions him. Within five minutes, he takes several photos of the data, puts the record down, and walks out of the hospital, and no one is the wiser.

5. The Unlocked Computer

A social engineer walks into a hospital. He confidently goes into an office that’s unlocked and sits down at the computer. The computer is unlocked and he now has access to all kinds of data. He starts going through information and installs malware on that computer to steal more information later.

During this time, no one questions him because he looks and acts like he belongs.

social engineering 6. The Relaxing Conversation

The social engineer goes into a hospital and asks one of the staff, “I’m with IT and I am here to install some updates on your systems and I need to get on your computer.” The staff member is initially suspicious.

The social engineer backs off and decides to first become friends with the staff member. She cracks jokes, divulges a bit of information about herself, and confides in the staff member.

After a few minutes, the staff member is more comfortable. “What was it you needed?” The social engineer now has a computer where she can install malware, steal data, or even delete important information.

7. The Fake IT Guy

A social engineer calls up someone within the hospital (showing a hospital phone number to the recipient) and says, “This is James from IT. I need your username and password.” The person in question then gives the information to him, and he now has access to the network. He can then take data in the name of the employee, making him nigh untraceable.

8. The Pointed Question

A social engineer asks a staff member pointed questions, masking them as casual inquiries. The staff member then unwittingly gives her valuable information, such as his supervisor’s name, his username, the supervisor of the department, etc.

After a few more questions, she now has enough information to call up a different department, name-drop and then get more information.

9. The iPad Walk Out

A social engineer walks into a busy hospital, takes an iPad lying on the reception desk, and walks out. The staff members are too busy with their various responsibilities to notice.

He isn’t questioned by anyone because he looks like any other person carrying an iPad. The staff doesn’t notice the iPad is missing until later. By then, the social engineer potentially has access to information, PHI, data, etc.

SEE ALSO: Healthcare: Recognize Social Engineering Techniques

How to fight back

While social engineering is a serious problem, there are ways to combat it. Here are my suggestions:
  • Train staff members to be aware and suspicious: They should notice if a device is missing. They should be aware of who’s working, and they should question anything that looks slightly out of place.
  • Train staff members to verify requests: Staff members should verify with supervisors when someone claims they have arrived to work on hospital computers, servers, Wi-Fi, etc.
  • Make each department accountable for security: For most hospitals, it’s impossible for the C-Suite to train everyone about security. Every department head should constantly discuss security with employees.
  • Hire a consultant: If you don’t even know where to start, hire a HIPAA consultant to help you boost your hospital security.
  • Take advantage of resources: There are webinars, blogs, reports, white papers, and more resources that talk about social engineering, HIPAA security and HIPAA regulations. Research and learn!
  • Test your staff: The best way to learn security techniques is to practice them. Get your staff used to social engineering attempts by pretending to be a social engineer (or hire an ethical social engineer). See what they do, and debrief them after.
  • Boost your physical security: Keep computers locked, use screensavers, watch your devices, and lock offices when not in use. Taking small measures will help prevent social engineers from easy access.
The biggest way to fight back against social engineering is proper regular staff training. It’s true, training = some downtime, but it’s critical to your patient data and organization’s brand that your staff members know how to address social engineering. Onboard and annual training isn’t enough!! Schedule quarterly, or even monthly training.

SEE ALSO: HIPAA Training Video: Essential Healthcare Compliance Training

Today, staff members who aren’t well versed in security are worthless. Hospitals need both systems and people that are active and aware.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

HIPAA learning center, SecurityMetrics