PROTECT YOUR HEALTHCARE ORGANIZATION AGAINST SOCIAL ENGINEERING ATTACKS
New developments in security software and hardware force criminals to search for other ways to crack network security and steal protected health information (PHI). What better place to start than the most difficult part of your organization to secure: workforce members.
Social engineering is one of the easiest routes to sensitive data, especially if workforce members haven’t been trained on how to recognize and combat it. Yes, social engineering is less predictable than regular network hacking attacks. Not to mention everyone who works for your organization is a potential target, from the receptionist to management. Unfortunately, your workforce is liable to make mistakes, but with regular and meaningful interactive social engineering training, you can stop most attacks from reaching success.
Healthcare organizations must take this threat seriously and devote more employee training resources to lower the social engineering threat. In this white paper, you will learn the basics of social engineering, common social engineering techniques, and 5 steps to train your workforce on social engineering.
Social engineering is the act of using any method conceivable to convince an employee to give up passwords, computer access, or admittance to off-limits areas that a social engineer can use to steal PHI or access systems to install malware. In true Catch Me If You Can scenarios, social engineers convince staff to give up sensitive information simply by acting like they belong.
Social engineering is effective because many employees want to be helpful and have a natural tendency to believe what seemingly trustworthy people say. If your employees aren’t trained to recognize social engineering tactics and techniques, they probably don’t know what is required of them.
Three main social engineering techniques plague the healthcare industry today:
1. Classic Social Engineering
Initiated either in person or via phone, a social engineer claims to be someone important (usually from IT) and demands information from whomever answers the phone or sits at the front desk. These scenarios range from demanding employee IDs in order to fix software, to claiming to be a utilities auditor and demanding access to the server room. If the employee gives in to the request, attackers have a legitimate path into the network.
2. Email Social Engineering
Email social engineering (email phishing) is the extremely successful electronic cousin of classic social engineering that costs the average breached U.S. organization more than $3.7 million annually. Phishers create legitimate-looking emails that secretly contain malware or links to fraudulent web pages, then send these emails to healthcare employees with hopes that they will open them. Phishers add legitimacy to their emails by using tools such as Google and LinkedIn to research trusted employee management and business partners.
3. Opportunity Social Engineering
Opportunity social engineering doesn’t normally involve interactions between social engineers and employees, but is still a result of employee actions. For example, social engineers leave USBs around hospitals loaded with malware. If an employee picks one up and uses it at work, the storage device automatically downloads malware onto the entire system. Sneaking through unlocked smoke-break entrances and stealing employee ID’s out of vehicles are other ways social engineers use opportunity to their advantage.
Specifically, here are some relevant social engineering scenarios that employees should recognize:
- The Dumpster Dive: If organizations don’t shred sensitive documents (e.g., invoices, phone lists, calendars, software information), a social engineer could go through the trash and find PHI and/or sensitive information about organizational computers.
- The Pointed Question: A social engineer asks a staff member several pointed questions (e.g., different department supervisor’s names, usernames, etc.), then uses this information to gain access to the network.
- Fake IT: A social engineer poses as IT, flashing a fake ID tag and asking the front desk to fix an Internet problem. If they are led to the router, they can install malware onto your entire network.
- Changing Passwords: A social engineer calls the help desk, while posing as a member of IT, and they change an employee’s username and password while the employee is gone.
- The Name-Drop: A social engineer goes up to the help desk and/or front desk, mentioning their supposed supervisor’s name, and the attacker eventually gets access to the network.
- The Relaxing Conversation: If a staff member becomes suspicious of a social engineer, the social engineer will take time talking and joking with that staff member. After a few minutes, the staff member is more willing to give the social engineer access to the system.
- Fake Staff: A social engineer dresses and acts like employees (e.g., wearing scrubs, wearing an ID tag). If nobody stops them to check their ID tag, they can steal PHI, take laptops, and/or install malware while walking around.
- Tailgating: A social engineer shows up with hands full (e.g., boxes of donuts), asking for an employee to open a door into restricted areas for them.
- New Hire: A social engineer pretends to be a new employee, then asks to be given a tour around the office where they can steal PHI and/or install malware.
There are countless ways hospitals, providers, and covered entities can be socially engineered, but most incidents are caused by staff members that have no policies or training to guide their actions.
Without proper training and policies, if you think your workforce members know how to secure patient data and stop social engineering attacks, you’re sadly mistaken. In fact, most breaches originate from healthcare workforce members. Although most healthcare workers aren’t malicious, they often either forget best practices or don’t know exactly what they’re required to do.
To help protect sensitive data, employees need to be given specific rules and regular training to know how to protect PHI. The following are five steps you can use to educate your employees about social engineering, protect PHI, and save your organization from a devastating data breach.
1. RETHINK SOCIAL ENGINEERING TRAININGS
First things first: have a mandatory social engineering meeting for all employees, including executives. If you don’t feel qualified to lead the meeting, hire a corporate social engineering coach.
Ask employees scenario-based questions about social engineering. Share personal stories. Act out scenarios that would potentially occur in your specific environment. Make it interesting and interactive. Create special training programs for those on the front line who regularly deal with visitors, like receptionists, as they are most at risk.
This meeting should empower employees to understand the types of social engineering attacks, tips to avoid manipulation, and what to do if a social engineer attempts to solicit them for information.
Regular training (e.g., brief monthly training) will remind employees of the importance of security, especially keeping them up-to-date with current security policies and practices.
HIPAA TRAINING DATA
Graphs throughout this white paper are an analysis of responses collected from 96 individuals who are responsible for HIPAA compliance (40 professionals in 2018 and 56 in 2017) about their training policies.
Your corporate social engineering policy can include whatever you believe will help employees identify, assess, avoid, and document social engineering attempts. Don’t create a lengthy legalese-filled document.
Here are a few samples of specific policies/procedures to include:
- Request ID verification for anyone trying to access off-limits areas
- Document suspicious people or situations
- Never use a USB except if directly obtained from
the IT department
- Report lost/stolen badges within 12 hours
- Never click on an email you don’t recognize
- Send suspicious and potential phishing emails to email@example.com
- Alert a manager if you feel you are encountering or have encountered a social engineering situation
3. MAKE IT PART OF REGULAR CONVERSATION
Implement a continuous training approach by soaking social engineering information into every message that goes out to workforce members. Make it part of the employee newsletter. Send regular emails that run through real-life scenarios. Put tips on bulletin boards. New hires should be indoctrinated into your anti-social engineering campaign as soon as possible.
Your educational campaigns should also remind readers that social engineering doesn’t just happen within the walls of your organization. Ever heard of subway shoulder surfers? How about grocery store phone call eavesdroppers? Even sharing too much information on social media may lead to a social engineering attack.
Create a social engineer guerilla task force. Sanction them to test your own employees by doing things a social engineer would do. If you don’t feel comfortable heading up this task force, some security professionals offer social engineering testing services as part of their penetration testing program.
Your task force should do things like:
- Take badges and credentials left in unlocked cars.
- Pose as janitorial staff and attempt to access a secured room without a badge.
- Pose as an IT person that needs to fix the network and see how close they can get to the server room before someone stops them.
- Use technology like Wombat’s ThreatSim software to send fake phishing emails and track the results.
- Try unlocked doors around the backside of buildings.
- Dumpster dive for sensitive documents.
- Leave USBs around campus and track where they end up.
- Look for unlocked computers and change the desktop picture.
Ensure that whenever you test employees, you capture what happens to provide a teaching moment that explains what they did wrong, how they can avoid it in the future, and a plea to share the experience with their coworkers. Be careful about embarrassing employees. Instead, create a positive experience and teaching moment so they will want to receive more training.
The key to having employees who successfully deal with social engineering incidents is this: they must feel comfortable questioning strangers and (what looks like) their fellow coworkers.
Before rushing into a decision, employees should always question and think through processes and situations. Here are a few examples:
- “Do we allow anyone with a uniform behind the desk? UPS guy? Janitor? Drug Representative?”
- “Can I see your ID please? Hold on for a second while I verify your clearance.”
- “No, I’m sorry but you can’t use my ID. Where’s yours anyway?”
- “I’m going to have to talk to my manager about giving you that information.”
Social engineering is one of the top methods for attackers to steal PHI, but it doesn’t have to be for your organization. Regular social engineering training can stop most of these attacks and protect your patient’s information.
If you don’t have social engineering training in place, create a training program and incorporate it into normal business practices. Test your employees on their responses; this includes upper management and executives. Oftentimes executives won’t buy into the severity of your social engineering threat unless they see firsthand how their employees respond.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.