Hollywood builds a picture of what a typical hacker looks like – sitting in a dark basement surrounded by computers. The modern hacker is savvier and takes a different approach. They’re out in public and probably dressed similarly to you.
Today, we explore these threats and share three examples of techniques that are on the rise, as well as ways that you can stop human-manipulation attacks.
Strong Perimeters, but Vulnerable Operations
Healthcare organizations have invested greatly in building strong perimeter defenses, including VPNs, multi-factor authentication, IPS, and firewalls that add layers of defense around an infrastructure.
However, while the controls may be quite robust for the edge network, the internal infrastructure remains weak. For malicious parties, it might be unlikely that they can penetrate from the outside.
The Social Hacker
This has pushed hackers to find new ways to easily circumvent external controls and create a more direct method of entry into the internal infrastructure. Social engineering is just that. It can enable access through softer barriers like employees, removable media, `and third-parties and vendors.
Three examples of social engineering tactics include:
Scenario #1: Someone makes light conversation with an employee outside the facility at a break or parking area or a smoke station. They’re posing as repair personnel and simply follow the employee into the building acting as if they belong there and were on a break too.
Scenario #2: An employee misplaces his phone at a coffee shop during lunch. He realizes this and returns after a meeting and finds the phone is almost dead. Without an outlet cord, he plugs his phone into his laptop to charge and inadvertently gives malware, which was loaded while his phone was lost, access to the system. Any media type -- CD's, flash drives, mp3 players and other devices with storage capabilities like smartphones -- can introduce malicious software through back-door access.
Scenario #3: A third party vendor is setting up new medical devices and needs to connect to update settings on these network-connected equipment. Unfortunately, their security controls are weak and they have malware hiding in their laptops. So, when they make updates to the devices, they unknowingly infect the organization’s network.
Empowering Your Organization
We recommend that your healthcare organization look at social engineering with the same rigor as you have with perimeter controls and prevention from phishing and vishing type attacks. Here are four steps to empower your people, policies and vendors to avoid, and deter, social engineering hacks:
- Conduct routine, internal tests to determine social engineering vulnerabilities
- Typical targets include email phishing, voice phishing, piggybacking, tailgating, and baiting using removable media with enticing labels such as “Company Finances 2017”
- Provide security training for employees that highlights social engineering techniques
- Training types and topics to consider include role playing, table top exercises, social engineering experiments, review of policies and processes, shoulder surfing, piggybacking, tailgating, as well as email and voice phishing
- Update or create security policies that restrict removable media and provide lock-down port access
- Examples of policies and technology affected include Group Policy and Antimalware solutions
- Review and monitor third-party access controls regularly
- Take actions like inspecting vendors’ remote access configuration, creating Access Control Lists (ACL’s), reviewing user account permissions, as well as reviewing firewall reports that monitor network traffic to see the flow of traffic over the VPN
Healthcare sits in a very unique position, working with a diverse universe of professionals, vendors, patients and the public. That’s why social engineering attacks are so insidious and silent.
Hackers can blend in easily, appearing as a family caregiver, a vendor, or even a patient. Thumb drives, mp3 players, CDs, and smart phones can be easily introduced into the environment undetected. And, third party vendors are trusted support whose vulnerabilities are brought to your organization day after day.
As an organization focused solely on healthcare security, privacy and compliance, BluePrint Healthcare IT have helped many healthcare entities understand their unique security risks and prepare their people, processes and policies as the best line of defense.
To learn more about social engineering and our vulnerability assessments, remediation services and educational programs, contact Pamela Hayduk, Market Development Manager, at email@example.com or 609.240.1627.