- Home
- » e-Newsletters
Prevent social engineers from accessing your data
HIPAA Training Advisor, October 19, 2006
Your organization probably wants a work force that is friendly, helpful, and builds goodwill with patients and visitors. However, these typically desirable qualities can conflict with security when your employees are confronted with social engineering-the use of deception to achieve access to information.
"Social engineering preys on people trying to be helpful," says William Miaoulis, principal at Phoenix Health Systems in Montgomery Village, MD. He offers the example of someone who phones the help desk, posing as a user who needs to "reset his or her password." With lax controls in place and an accommodating help desk staffer on the other end of the line, this unauthorized user could obtain user account information and access your network.
Or consider the reverse scenario: A social engineer phones an end user, pretending to be a member of your organization's support staff. He or she says that there's been a limited power outage and he or she needs the user's identification and password to run some tests.
These two examples illustrate the two common targets of social engineering attacks-help desk staff and end users, says Ken Cutler, vice president of information security for MIS Training Institute in Framingham, MA. You can't protect against these ploys with policies, procedures, or technical controls. Only a strong security awareness program followed up by auditing can counter this important threat, Cutler says.
Raise awareness
Social engineering is especially effective in an environment that doesn't realize it's at risk. Unfortunately, this encompasses many healthcare institutions. "The reason we get lulled to sleep is that we have these types of cases all the time [in which legitimate users forget their passwords, etc.]," Miaoulis says. "Quite frankly, these people aren't trying to get to us through social engineering. So although the probability of a social engineering attack is low, the impact is high."
The first step is to wake your work force up to the reality of social engineering by covering it during new employee training sessions and any annual training you conduct. Then follow up with specific security reminders that go beyond the typical e-mail updates. "People overuse the computer for reminders," Cutler says. Instead of using onscreen messages that users can ignore, launch a visible campaign that reaches every employee. For example, hold a series of brown bag lunches on security.
Pose scenarios like those at the beginning of this article to employees and consider other deceptions that could result in unauthorized access to information. For example, crooks posing as telephone repair workers, pizza delivery people, or even as employees of your institution can gain physical access to your facility's premises (and then your electronic data) using social engineering. This means that it is necessary to train not only end-users and help desk staff on the perils of social engineering, but all employees. Workers who are often in hallways, such as security guards and housekeeping staff, must understand social engineering so they are equipped to help prevent a successful breach of your facility's access controls.
"Nobody's immune from awareness, from the executives all the way down to the janitor, and any contractors as well-anybody that has access to your facility or systems," Cutler says.
Miaoulis has accessed terminals at several facilities simply by dressing nicely in a coat and tie. "Many people will just walk past you" thinking you work for the facility, he says. Snap employees out of complacency by training them to wear identification badges conspicuously and to challenge users with whom they are not familiar, he suggests.
Audit for weaknesses, take corrective action
After you've conducted training, check up on what employees have learned. You can do this on your own or by hiring a third-party professional to pose as a social engineer. Whatever auditing method you choose, try a variety of social engineering attacks. Randomly sample the employee directory and pose as someone who needs user passwords. Have someone with whom employees aren't familiar use social engineering to breach the physical security of your facility. The success of these sample tasks means that your organization has vulnerabilities. Conduct these audits at least once a year, Cutler advises.
"If you conduct an audit and too many people give away information, have a big awareness campaign. After you do the campaign, give employees a month to settle in and then conduct another audit," Cutler says. If social engineering techniques continue to work, try to get to the crux of the problem.
For example, you might need to make changes to your help desk procedures for password reset requests, Miaoulis says. Ask for secondary and tertiary identifiers, such as the last four digits of the user's Social Security number or a prearranged question and answer. Avoid commonly used identifiers such as the employee's mother's maiden name.
"None of these are absolute, but anything you can do to authenticate an individual is important before you give out a pass code," Miaoulis says. "Security is all about adding hurdles."
Editor's note: Adapted from "Prevent social engineers from accessing your data," Briefings on HIPAA, October 2006.
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- Capturing all necessary codes for IUD insertion and removal can be challenging
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- OB services: Coding inside and outside of the package
- HIPAA Q&A: Level of encryption needed for email
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- What does case-mix index mean to you?
- Q&A tackles coding questions about injections and infusions
- Joint Commission Center announces handoff communication solutions
- Inside best practice: Reduce patient falls with a stoplight
- Identify modifiable risk factors to prevent patient falls
- HIPAA Q&A: Level of encryption needed for email
- Searched