In last month’s blog, Compliance vs. Security and What Do All Those Acronyms Mean?, I highlighted the differences between compliance and security and how it’s possible (but not desirable) to have one without the other. This month, marking the anniversary of one of the most infamous hacker arrests of the twenty-first century, I want to discuss a serious security threat that compliance alone cannot prevent. But don’t worry, I’ll also highlight best practices you and your staff can take to protect your organization.
Before we begin, I want you to imagine your idea of the typical hacker. Do you picture someone dressed as a burglar sitting at a desktop computer in a dark room? If you do, then it’s time to reconsider that idea.
Twenty-one years ago, the FBI arrested Kevin Mitnick for federal offenses related to computer hacking and wire fraud. Wanted for breaking into the systems of Pacific Bell, Mitnick spent two and half years as a fugitive before he was arrested in 1995. During this time, Mitnick gained unauthorized access to dozens of computer networks, cloned cell phones to hide his location and copied proprietary software from companies. However, Mitnick did not complete all of these hacks sitting behind a computer and relying on his knowledge of IT infrastructure.
The tactic Mitnick used to grow his impressive hacking rap sheet is one of the greatest security threats that all organizations, including healthcare, are susceptible to today — social engineering. Social engineering is a non-technical method of human intrusion that relies on human interaction and often involves tricking people into divulging confidential information or breaking security procedures. Kevin Mitnick used social engineering to trick his way into obtaining confidential information and bypass IT security defenses. Today, almost 80 percent of cyberattacks begin with tricking a human (Verizon and US Secret Service Data Breach 2014 report).
It’s tough to protect against social engineering for a few reasons. For one, the manipulation of a person is not something that can be prevented with more complex passwords or a new hardware purchase. Also, social engineers can be hard to recognize because they are excellent at acting like they belong in whatever environment they are trying to hack. They are friendly, knowledgeable and even flirtatious because they depend on human tendencies to be naturally trusting, willing to help and not want to appear stupid. Healthcare is particularly vulnerable to social engineering because of the inherent qualities of healthcare professionals. Most doctors, nurses and staff are compassionate, empathetic and looking to help and heal other humans. It is easy to see how these professionals would open the door for a person claiming to have forgotten their security badge or give information over the phone to someone calling from the IT department. Plus, many healthcare organizations have rotating staff, so it is not uncommon to encounter new people daily.
The best defense against this ever-growing threat is to train staff to be on the lookout for common social engineering tactics. More than 95 percent of past breaches were a result of human error, so develop your training with the assumption that your staff will make mistakes.
Here are some best practices to prepare your staff in the event of social engineering:
- Question strangers and always verify someone’s identity before revealing any confidential information.
- Never give confidential information over the phone.
- Keep an eye out for suspicious emails requesting information.
- Do not be afraid to involve a manager.
- Be skeptical!
- Know who your vendors are and always ask to see ID from anyone claiming to be from one of your vendors.
You could also consider simplifying the vendors you deal with by selecting one that delivers multiple solutions to address the most challenges facing your organization. This eliminates the need to deal with multiple vendors and can reduce the risk of falling victim to a social engineering hack.
The InstaMed Team recognizes the importance of protecting against data security threats, including social engineering. For example, our in-house customer service, account management and professional services teams never ask customers for their passwords. We also educate our team about the threat of social engineering and consistently train on how to recognize these attempts and best practices for maintaining a secure work environment. For example, if a customer calls asking to reset their password, our team goes through a verification process to identify the customer before they can receive a new password.
Identifying a social engineering attack is hard, and some of the best practices outlined above go against human tendencies and a healthcare professional’s inclination to help others. My advice is to empower your staff to use their better judgment and train them to recognize suspicious behavior. Role-play human hacking scenarios and create a security verification checklist for staff to complete before sharing anything confidential or granting access to anyone. And most importantly, practice. Social engineering methods will continue to evolve, so it is important that your staff be aware, cautious and skeptical.