Social Engineering in HealthCare

The weakest link in an information security program is people. Hackers have known this for a long time and have refined the art of social engineering. By convincing someone to do something that isn’t in their best interest, malicious individuals are able to launch devastating attacks on organizations.

One method in which the hackers prey on their victims is through phishing. This attack vector utilizes electronic communication that appears to be trustworthy. Through this vehicle, hackers attempt to obtain sensitive information about their victims such as credentials, credit card information, and even more coveted protected health information.

The healthcare industry has always been about helping people; however, when it comes to privacy and security, being too helpful isn’t always a good thing. Partners Healthcare realized this when a group of their employees fell victim to phishing emails. Hackers were able to convince some of Partners’ employees to engage with them through an email on November 25, 2014 allowing the hackers to gain access to the employees’ email accounts. This eventually led to the compromise of approximately 3,300 patient records.

In another unfortunate example, Texas-based Seton Healthcare Family, a part of Ascension Health System, became a victim of a compromise of protected health information on 39,000 patients when an employee opened an email that turned out to be a phishing scam. This wasn’t the first time Seton Healthcare had been breached; in 2013 the health system reported the theft of an unencrypted laptop. Since 2007, they had two additional breaches: one again involving a stolen laptop affecting 10,300 patients and a breach by a third-party vendor involving more than 500 patients where member cards were sent out to the wrong members.

St. Vincent Medical Group fell victim to a phishing attack targeting employees. A statement posted on their website indicated that they discovered an employee’s email account had been compromised around December 3, 2014. As of March 12, 2015, they uncovered the compromised email account that contained personal health information on approximately 760 patients.

With the ease of phishing and the high returns that can be achieved by using this technique, security professionals fear that these types of threats will increase in 2015. With health data becoming more valuable to hackers on the black market and the belief that the healthcare industry is not ‘up to par’ with security as other industries, the healthcare industry will continue to see an increase in attacks.