December 10, 2018
All too often gaining access to sensitive areas is far too easy. An example… One recent afternoon it took little more than a pretty smile and some small talk for me to gain access to some very sensitive IT areas at one of our client practices. Now, to be fair, I am a friendly guy, so I must only have the best of intentions, right? Well in this case, yes, but a friendly smile doesn’t always equal friend…
This begins our next blog series on cybersecurity… A daunting and far-reaching topic to be sure, but something even the smallest of practices needs to be aware of. I’m your blog host and physician practice technologist, Michael Patrick. Our first topic in this series is Social Engineering… what is it and how can you avoid becoming a victim?
In another recent example from the industry, employees of a security firm had t-shirts printed and posed as electrical contractors working in a hospital. They were able to successfully make copies of 50 employee’s proximity cards and gain access to patient records. Having the name of a patient, they called and posed as a family member asking to speak directly to the patient’s physician. Over the phone, the physician released the patient’s entire list of medications, and the schedule of administration, without asking for any additional information.
The end goal of the attacker using social engineering techniques is to gain the victim’s trust so that weak points in a system’s architecture and security protocols can be breached. In the healthcare world, failures because of social engineering attacks lead to HIPAA violations, patient data leaks, and loss of trust. All of this costs the provider money in terms of man-hours required to fix the leaks and potential lawsuits that may result from having sensitive or identifying information leaked.
One of the major goals of your organization should be to avoid social engineering attacks before they start. This helps keep your organization safe and keeps you on task to respond to patient needs rather than dealing with security breaches. So how can you avoid being a victim of these attacks?
Just because someone comes in flashing a pretty smile and reasonable credentials, you can’t assume that they should be there. Ask questions. Find out who they are, who they are supposed to be working for, then if possible, follow up directly with the company to verify the identity of the person in question. Simply by verifying information before granting access to assets, you can successfully eliminate many social engineering attacks.
It is imperative that you avoid revealing personal and identifying information, both about individuals and your organization, to anyone until you have reviewed their authority to have that information. This is taken one step further to include information about organization structure and networks. These are vital pieces of information that attackers will be looking to exploit when they get the information. Although we all like to talk about what we do, we need to scrutinize our words to ensure that we don’t compromise security.
A large number of social engineering attacks come by way of links that are emailed. These links often appear to point to legitimate websites that you may frequently visit. Attackers exploit a momentary lapse in judgement by making the text of a link say one thing while directing your browser to an entirely different site. If you ever question the legitimacy of a link that has been emailed to you, before you click on the link first hover over it. At the bottom of your browser window, a text box will appear revealing the destination of the link. Verify that the link is directing you to the expected website before you click on it, particularly when you receive links from unfamiliar email addresses. More on this in a future blog in the series on Phishing attacks…
So there you have it – three simple tools to add to your arsenal to keep yourself, and your organization safe from social engineering attacks. Ask questions, keep quiet, and pay attention. Using these simple tools you can save your organization time and money, increase productivity, and maintain client data security.
Do you have any stories to share regarding this or any topic you see here on this blog? If so, hit me up in the comments section or feel free to email me @ email@example.com. Again, I’m Michael Patrick, your physician practice technologist. Stay on the lookout for our blog in this Cybersecurity series. Until then, like, share and/or comment on this post!
With more than 20 years of technology and technology sales experience, Michael has led Systeem’s operations since day one, connecting our clients with technology, processes and ideas that make their lives easier and happier.