Support This Site

If you like what I do please support me on Ko-fi

Healthcare Cybersecurity: Social Engineering Attacks

Posted on

Social engineering attacks are designed to manipulate individuals into giving away confidential information, and hospitals, given the sensitivity and value of the data they handle, are not immune. Here are a few fictional stories based on common social engineering techniques that could target a hospital or healthcare organization.

  1. The Pretend Contractor
    • Story: A person walked into a hospital dressed as an IT contractor, claimed they were sent by the “head office” to fix a server issue. With a combination of a confident demeanor, a believable story, and some technical jargon, they were able to convince a staff member to give them access to a server room. Once inside, they installed malicious software to capture patient data.
    • Lesson: Always verify identities and confirm appointments, especially if no prior notice was given.
  2. Phishing Disguised as Training
    • Story: A nurse received an email stating it was mandatory cybersecurity training from the hospital’s IT department. The email contained a link to what seemed like a training portal. However, once the nurse entered her login credentials, hackers captured them.
    • Lesson: Be suspicious of unexpected emails and always verify the legitimacy of such requests by contacting the supposed sender through a known contact method.
  3. Baiting with a Lost USB Drive
    • Story: An employee found a USB drive in the parking lot labeled “2023 Staff Salaries.” Out of curiosity, they plugged it into a hospital computer. The drive contained malware, which was then introduced into the hospital’s network.
    • Lesson: Never insert an unknown USB drive into any computer, especially not into systems that handle sensitive data.
  4. Pretexting Through a Phone Call
    • Story: A person called the hospital’s billing department, posing as an auditor. They claimed they needed to verify certain patient billing details due to a “recent system glitch.” Using this pretext, they were able to extract sensitive patient billing data.
    • Lesson: Always validate the identity of callers, especially when they request sensitive information.
  5. Tailgating Into Restricted Areas
    • Story: A well-dressed individual waited by a secured door, holding a tray of coffees, and made small talk with an employee. When the employee swiped their access card, the individual asked if they could be let in as they “forgot” their card and were running late for a meeting. The kind-hearted employee held the door for them. Once inside, the individual had free access to sensitive areas.
    • Lesson: Always follow security protocols, no matter how inconvenient they may seem.
  6. Vishing Attack on Relatives
    • Story: An attacker called the family of a recently admitted patient, posing as a hospital administrator. They informed the family of additional ‘treatment charges’ and convinced them to pay a hefty amount over the phone.
    • Lesson: Educate patients and their families about the hospital’s billing procedures and encourage them to verify any unexpected charges directly with the hospital.