Social engineering is a fancy term for tricking someone out of information. Essentially, it’s a con. While not as flashy or technically sophisticated like hacking with a computer, social engineering is still an incredibly effective tool for hackers. As a result, healthcare workers should know how to guard themselves against social engineering.
While hackers usually aren’t so brazen as to ask for passwords over a phone call when attempting social engineering, they will try to gain as much information as possible. Details of operating or network environments, various names or schedules of employees, or even official forms to make requests and requisitions can be the goal.
Often, the information gained from social engineering is then used to launch a more effective hacking attempt electronically based on details learned from people.
The Department of Homeland Security has posted the following steps to avoid being caught by a social engineering attack:
- Be suspicious of unsolicited contact from individuals seeking internal organizational data or personal information;
- Do not provide personal information or passwords over email or on the phone;
- Do not provide information about your organization;
- Pay attention to website URLs that use a variation in spelling or a different domain (e.g., .com versus .net); and
- Verify a request’s authenticity by contacting the company directly.
Social engineering preys upon certain human behavior, and society’s encouragement to be social and polite. Being a little rude is both okay and encouraged by security professionals as a defense tactic to social engineering attempts.
Healthy skepticism is also key. Hang up on a caller if you suspect they are trying to socially engineer you. Ask a stranger in your work area if they belong or what identification badge/pass they have, or report them to security immediately.
Do not respond to phishing emails. Since the majority of social engineering attempts don’t leave a digital trail like electronic hacking attempts, they can often be more difficult to spot and stop. Healthcare workers are truly the main defense against social engineering attempts for PHI or against hospital systems.
Talking about social engineering is important: recent attempts against one department might be more easily thwarted against others if knowledge of trends or examples is shared. Be cautious of sharing any information outside your department or work circles, and understand that hacking isn’t just limited to computers!