How to Socially Engineer Healthcare (And Get Rich Too) Learn how social engineers successfully steal PHI
Brand Barney SecurityMetrics
About SecurityMetrics • Helping organizations comply with mandates, avoid security breaches, and prevent data theft since 2000.
About Me • Brand Barney • CISSP, HCISPP, QSA • 10+ years of data security experience
What is Social Engineering?
What is Social Engineering? • Social engineers exploits workforce members • Use wit and charisma to gain access to sensitive areas in your organization to steal data. • Catch Me if You Can
Myth: Social Engineering Isn’t a Threat • Social engineering targets weakest link: people! • Doesn’t require technical talent • Hard to recognize
Why Go After Health Data? • Health data more lucrative than credit cards on black market – Credit card data sells for $1–2 – PHI sells for $20–200
• Easy to replace credit cards, impossible to replace social security numbers
Why Does Social Engineering Work?
Social Engineering is hard to recognize • Good social engineers look like they belong at your organization – Confident, don’t look out of place
• Most organizations don’t realize they’ve been social engineered until they start losing PHI
You’re Trusting • Humans have an “innocent until proven guilty” mentality • Workforce members don’t question strangers • They don’t want to seem rude
You Want to Help • Most workforce members are inclined to help • May answer sensitive questions • May want to help someone who “forgot” their ID badge
You Don’t Want to Look Stupid • Large healthcare environments make it difficult for workforce members to know who works where • Don’t want to stop someone unnecessarily and look stupid
You Don’t Want to Get in Trouble • Don’t want to offend someone • Don’t want to get in trouble with their superiors • Afraid of making a mistake
These “human flaws” are some of the most challenging aspects when training against social engineering. You’re literally trying to train people out of the way they naturally think.
Real-Life Successful Social Engineering Stories
Dumpster Diving • Social engineer found sensitive documents involving a third party company in a dumpster • Used the information to pretend to be from that company • Gained access to organization’s servers
Fake Nurse • • • •
Scrubs / Clothing / Training Equipment Multiple locations Sensitive access
iPad Walk out • Medical devices look strikingly similar to patient devices • Devices are not protected and not logged
Common Social Engineering Techniques
IT Poser • Social engineer flashes fake ID tag, says he’s here to fix an internet problem • Says the hospital IT department sent him down
Tailgating • Social engineer shows up at employee entrance carrying a box of donuts • Employee holds the door open for him, not bothering to check if she has a badge
New Hire • Social engineer goes up to a doctor and pretends to be a new hire that’s supposed to shadow him • Gains access to the office, where she can steal information
Devices Stolen/Left Behind • A social engineer walks in and out with a device without being questioned • Some leave behind USBs full of malware and wait for an employee to plug it into a computer
How to Combat Social Engineering
The biggest way to protect against social engineering is employee training with frequent refreshers.
Train Employees • Train employees regularly to recognize these techniques • Do quarterly, if not monthly, training • Train not just nurses/doctors, but receptionists too!
Be Skeptical • Train employees to not be afraid to challenge strangers • Verify before trusting people with their word • Never give out sensitive information over the phone • Don’t be afraid to get the manager involved
Test Staff • Best way to learn security techniques is to practice them • Test employees by hiring an ethical social engineer
Enforce Policies • If you have a badge policy, make sure all employees wear them • Always have employees verify the identify of the person and the validity of the request
Have a Strict Device Policy • Make sure employees don’t use USB drives they find around the premises • Keep track of all devices going in and leaving your organization
Have Individual User Accounts • Workforce members are not all created equal • All staff should have separate user accounts • Role-based access
Hire a Consultant • Consult with a security expert – Provides best security practices customized to your organization – HIPAA experts are IT experts, security experts, and HIPAA experts 39
Your staff are your greatest asset, and they can help you protect your data and achieve all your HIPAA compliance goals.