Despite years of educating healthcare staff about the need for data security and the myriad ways people can worm their way into an otherwise secure system, employees still can fall prey to social engineering scams and allow HIPAA data breaches.
Social engineering refers to the ways hackers and other criminals prey on people’s natural tendencies and weaknesses to create a way into a data system. It remains a huge problem, says Dan Hanson, an insurance and risk management professional with Marsh & McLennan Agency in Minneapolis.
“The problems caused by social engineering have been with us for a long time now. Bad actors use a variety of schemes to hack into business databases, pose as qualified vendors — often referred to as reverse social engineering — or even gain access to physical spaces,” Hanson says. “There are literally thousands of variations. The only limit to the number of ways hackers can socially engineer users is the criminal’s imagination.”
Social engineering plays a role in most HIPAA breaches. Clinical Pathology Laboratories in Texas recently reported that PHI of approximately 2.2 million patients had been compromised in the data breach at American Medical Collection Agency (AMCA), which provides debt collection services to healthcare organizations. (Read more at: http://bit.ly/2YvtCrg.) AMCA reported that a cyberattack on its payment website allowed hackers to obtain PHI for eight months. AMCA filed for bankruptcy after the attack. (Read more about the filing at: https://bloom.bg/2GB8ARS.)
A healthcare organization can even experience multiple forms of exploits in a single attack, Hanson says. These are some of the most popular forms of social engineering:
- Phishing. The most common scheme, often using fear and threats to create a sense of urgency, all in an attempt to wrangle usable information.
- Pretexting. Usually a fabricated scenario designed to fool an employee to extract information.
- Baiting. Similar to phishing but often promises a reward to entice victims, such as free music or movie downloads, to steal login credentials.
- Quid Pro Quo. These attacks promise a benefit in exchange for information, usually some kind of a service (e.g., an offer of IT that promises a software update but is instead a way to install malware).
- Tailgating. This involves someone without proper authentication literally following an employee into a restricted area.
- Identity Theft. The hacker steals an employee’s identity he or she can use online or even create fake ID badges to gain access to the office.
Many companies know about these schemes and they have often made attempts at guarding against them. But the unfortunate truth is the criminals have become smarter, and they are constantly changing and updating their schemes, Hanson says.
“Just because many social engineering scams, like the Nigerian prince, seem so obviously fake and illicit, you can’t assume that all schemes will be equally obvious to your employees,” Hanson says. “Hackers are uniquely adept at spotting the flaws in their attacks and revising them. A lot of these people are incredibly smart and very good at what they do.”
One of the latest innovations is invoice manipulation. This form of attack is not necessarily new but it has received more notoriety lately because it has become a bigger problem than ever before, Hanson says. Criminals posing as suppliers, vendors, or even customers attempt to defraud a company using fake, duplicate, or inflated invoices. It is important for companies to be vigilant about checking every invoice, Hanson offers.
Invoice manipulation has become a go-to attack choice for bad actors hacking email accounts, intranet, or databases. Hanson describes one way it can work: An employee’s email is hacked, or their credentials are stolen. Now, the hacker has access and can monitor emails to determine who sends or requests an invoice. The hacker knows the company’s vendors and sends an invoice that appears to be legitimate, but the routing, account, or vendor ID numbers have been altered.
“Guard against invoice manipulation by empowering employees to double check any time anything changes — numbers, banks, addresses,” Hanson says. “Have them call the vendor directly to ask whether or not the information is legitimate. Don’t send emails. If the hacker is already in your system, it’s easy to fake the response.”
If the hacker has no luck gaining access digitally, he or she can coerce or even hire a disgruntled employee. This is potentially the most powerful attack because the employee has physical access to the organization and generally can move anywhere without any restriction as well as access company data, Hanson says.
“A lot of companies are still getting caught flat-footed. It’s not hyperbole to state that all organizations are, at one time or another, getting hit by social engineering attacks,” he says. “All it takes is one employee to not be thinking clearly. That’s when bad decisions are made. That’s why continuous training is necessary.”
Hackers who engage in social engineering attacks prey off human psychology and curiosity to compromise their targets’ information, Hanson notes. Guarding against most of these does not require much more than paying attention to the details. But it is important to keep reminding employees how they can avoid social engineering schemes. Hanson suggests frequent reminders on these safeguards:
- Do not open emails from untrusted sources;
- If offers seem too good to be true, they probably are;
- Lock laptops;
- Do not react too quickly — hackers want someone to act first and think later;
- Be suspicious of unsolicited messages;
- Beware every download;
- Foreign offers are fake — end of story;
- Delete any request for financial information or passwords;
- Reject requests for help or offers of help;
- Set spam filters to high;
- Do not be afraid to ask questions or delay decisions until thoroughly checking out the situation.