3/16/2016

How to Socially Engineer Healthcare (And Get Rich Too) Learn how social engineers successfully steal PHI

Brand Barney SecurityMetrics

About SecurityMetrics • Helping organizations comply with mandates, avoid security breaches, and prevent data theft since 2000.

About Me • Brand Barney • CISSP, HCISPP, QSA • 10+ years of data security experience

1

3/16/2016

What is Social Engineering?

What is Social Engineering? • Social engineers exploits workforce members • Use wit and charisma to gain access to sensitive areas in your organization to steal data. • Catch Me if You Can

Myth: Social Engineering Isn’t a Threat • Social engineering targets weakest link: people! • Doesn’t require technical talent • Hard to recognize

2

3/16/2016

Why Go After Health Data? • Health data more lucrative than credit cards on black market – Credit card data sells for $1–2 – PHI sells for $20–200

• Easy to replace credit cards, impossible to replace social security numbers

Why Does Social Engineering Work?

Social Engineering is hard to recognize • Good social engineers look like they belong at your organization – Confident, don’t look out of place

• Most organizations don’t realize they’ve been social engineered until they start losing PHI

3

3/16/2016

You’re Trusting • Humans have an “innocent until proven guilty” mentality • Workforce members don’t question strangers • They don’t want to seem rude

You Want to Help • Most workforce members are inclined to help • May answer sensitive questions • May want to help someone who “forgot” their ID badge

You Don’t Want to Look Stupid • Large healthcare environments make it difficult for workforce members to know who works where • Don’t want to stop someone unnecessarily and look stupid

4

3/16/2016

You Don’t Want to Get in Trouble • Don’t want to offend someone • Don’t want to get in trouble with their superiors • Afraid of making a mistake

These “human flaws” are some of the most challenging aspects when training against social engineering. You’re literally trying to train people out of the way they naturally think.

Real-Life Successful Social Engineering Stories

5

3/16/2016

Dumpster Diving • Social engineer found sensitive documents involving a third party company in a dumpster • Used the information to pretend to be from that company • Gained access to organization’s servers

Fake Nurse • • • •

Scrubs / Clothing / Training Equipment Multiple locations Sensitive access

iPad Walk out • Medical devices look strikingly similar to patient devices • Devices are not protected and not logged

6

3/16/2016

Common Social Engineering Techniques

IT Poser • Social engineer flashes fake ID tag, says he’s here to fix an internet problem • Says the hospital IT department sent him down

Tailgating • Social engineer shows up at employee entrance carrying a box of donuts • Employee holds the door open for him, not bothering to check if she has a badge

7

3/16/2016

New Hire • Social engineer goes up to a doctor and pretends to be a new hire that’s supposed to shadow him • Gains access to the office, where she can steal information

Devices Stolen/Left Behind • A social engineer walks in and out with a device without being questioned • Some leave behind USBs full of malware and wait for an employee to plug it into a computer

How to Combat Social Engineering

8

3/16/2016

The biggest way to protect against social engineering is employee training with frequent refreshers.

Train Employees • Train employees regularly to recognize these techniques • Do quarterly, if not monthly, training • Train not just nurses/doctors, but receptionists too!

Be Skeptical • Train employees to not be afraid to challenge strangers • Verify before trusting people with their word • Never give out sensitive information over the phone • Don’t be afraid to get the manager involved

9

3/16/2016

Test Staff • Best way to learn security techniques is to practice them • Test employees by hiring an ethical social engineer

Enforce Policies • If you have a badge policy, make sure all employees wear them • Always have employees verify the identify of the person and the validity of the request

Have a Strict Device Policy • Make sure employees don’t use USB drives they find around the premises • Keep track of all devices going in and leaving your organization

10

3/16/2016

Have Individual User Accounts • Workforce members are not all created equal • All staff should have separate user accounts • Role-based access

Hire a Consultant • Consult with a security expert – Provides best security practices customized to your organization – HIPAA experts are IT experts, security experts, and HIPAA experts 39

Your staff are your greatest asset, and they can help you protect your data and achieve all your HIPAA compliance goals.

11

3/16/2016

Questions Securitymetrics.com

12