May 2019, Volume XXXIIi, No 2


Social engineering

Is your practice prepared?

he human element is a key factor in cyber and computer network operations, and it is the most unpredictable factor in cybersecurity. Patient records contain a wealth of personal information, and many hackers have learned to trick unsuspecting health care employees into helping them plan and execute their data breaches through “social engineering,” defined in information security terms as the art of using influence or manipulation to trick targets into giving up confidential information or access to an organization. Cybercriminals will often use social engineering tactics as a first step in gaining access to privileged information because it is generally easier to exploit human weaknesses than to breach network or software vulnerabilities.

According to the 2016 Healthcare Industry Cybersecurity Report (Information Security Media Group), health care ranks 15th out of 18 industries in social engineering. This is a clear reflection of the vulnerability of health care organizations to this type of breach. That same report said that data breaches occurred in 85 percent of large health care organizations’ systems in 2014.

Social engineering depends on human inclinations toward trust, curiosity, and empathy. One of the reasons that social engineers love health care employees is their natural tendency to be trusting and their desire to be helpful. The complexity of most health care organization structures, networks, and systems is also an advantage to social engineers.

One form of social engineering that allows cybercriminals to physically gain entrance is called tailgating. Here are some common scenarios:

  1. A social engineer flashes a fake ID at the front desk. He says he is there to fix an internet problem and the IT department sent him down. He is led to the router and is able to install malware onto the entire health care network.
  2. A social engineer shows up at the employee entrance with an armful of pizza boxes. A helpful employee holds the door open for him and he has gained access to non-public areas.
  3. A social engineer calls in posing as an assistant to a high profile physician. His boss is having problems accessing the system and he demands to know why. Acting rushed and annoyed, he demands immediate access to the system.

More commonly, cybercriminals act remotely, using electronic social engineering techniques. Common examples include phishing and spear-phishing, business email compromise, and ransomware.

Embracing change is not optional, it’s a requirement to survival.

Phishing and spear-phishing

Phishing attacks use email or fake websites to trick employees into clicking on a link and/or entering personal information, allowing access to a network or system to collect billing and health information or deposit malware.

Phishing emails and websites are often designed to look as if they have come from a legitimate source. In November 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) notified health care-covered entities of a phishing scam that used fake government letterhead and a fake email address to direct individuals to a fake URL. The fake email address and fake URL each had only a very subtle difference (a single added hyphen) from the official addresses, a typical approach in phishing scams.

Spear-phishing is a specific method of phishing that targets specific individuals or groups within an organization. Emails, social media, and other platforms can be used to persuade users to divulge personal information or perform actions that lead to network compromise, data loss, and/or financial loss. While phishing often involves random individuals, spear-phishing is aimed at specific targets and involves prior research. According to the Internet Crime Report published by the FBI’s Internet Crime Complaint Center (IC3), phishing and related tactics were the third highest cybercrime experienced across the nation in 2017.

Business email compromise

Business email compromise (BEC) is a sophisticated crime that typically targets employees who have access to company finances. The cybercriminals trick these individuals into making a wire transfer to accounts thought to belong to trusted partners, but are actually controlled by the criminals.

BEC, also known as CEO spoofing, often starts by the criminals gaining access to a company’s network through a spear-phishing attack and the use of malware. This allows the criminals to study the organization’s vendors and billing systems, as well as the CEO’s style of communication and perhaps even his or her travel schedule, without detection. When the time is right, a spear-phishing request is made to a specific individual, such as a bookkeeper, accountant, controller, or CFO, requesting an immediate wire transfer, often to a trusted vendor. If paid, this money is often hard to recover due to laundering techniques and accounts that drain the funds into other accounts that are difficult to trace.


Ransomware is a type of malware in which attackers lock the data on a victim’s computer, typically by encryption, and payment is demanded before the ransomed data are decrypted and access returned to the victim. In 2017, the FBI’s IC3 received 1,783 ransomware complaints with adjusted losses of over $2.3 million.

Unlike other types of attacks, the victim is usually notified that an exploit has occurred and is given instructions for how to recover from the attack. Payment is often demanded in a virtual currency, such as bitcoin, so that the cybercriminal’s identity isn’t known. Of course there’s no guarantee that the criminals will release the files or that the files have not been breached or disrupted in some way.

There is usually a delay between the insertion of the ransom software and the execution of the attack. This delay is intended to enhance the spread of the ransomware throughout the system, especially into backup files. This decreases the likelihood that the data can be recovered without paying the ransom.

Data breaches occurred in 85 percent of large health care organizations’ systems.

Lines of defense

So how do you prevent social engineers from having a negative impact on your organization? One certainty is that as technical security factors become more stringent, social engineering techniques will respond in kind. The weakest link in the security chain is the human who accepts a person or scenario at face value. Although some technical barriers can be put in place, employee training is the most important defense an organization has to protect against social engineering crimes.

Consider the following tips to reduce your risk:

Email attacks

To reduce the risk of a phishing attack, keep malware and spam filters up to date.

To reduce the risk of falling victim to BEC, implement a formal structure and process for releasing information and making payments. Employees should be trained to be very suspicious of an email directive to wire money, mail a check, or release personal information. Consider the following actions recommended by the FBI’s IC3 (2016):

  • Verify changes in vendor payment location and confirm requests for transfer of funds.
  • Consider financial security procedures that include a two-step verification process for wire transfer payments. Double-check with a human. Call to verify and use the corporate telephone book rather than calling the numbers listed in the email.
  • Do not use the “Reply” option to respond to any business emails. Instead, use the “Forward” option and either type in the correct email address or select it from the address book to ensure the intended recipient’s correct email is used.

Social media security

Develop and implement a policy on employee use of social media, including personal page posts and references to the organization. Train your staff members on locking down their personal social media pages, and inform them of the risk to their personal property and well-being when too much personal information is shared.


To reduce and/or mitigate the risks of ransomware:

  • Develop a response plan, which may require outside experts.
  • Physically back up files outside of the network each day. Make a copy on electronic media or an encrypted external hard drive. Maintain the files in a secured location, preferably off-site or on a firewall-protected network or “cloud,” and periodically test them.
  • If you experience a ransomware attack, notify all system users and shut down the systems as soon as possible to contain the spread. Notify the local FBI office and/or file a complaint with IC3 ( Notify your insurance carrier to determine coverage. Recovery will almost always require the help of outside experts.


Provide all employees with ongoing education to combat these threats. Consider the following:

  • Provide explanations and examples of the social engineering tactics currently being used by cybercriminals, particularly in the health care sector.
  • Exercise vigilance regarding emails, unsolicited phone calls, or in-person interactions that attempt to get them to reveal personal or sensitive information, or that require going to an unfamiliar website or installing an unfamiliar program. Do not be afraid to question and/or challenge strangers or unusual requests, and always verify the identity of the requestor rather than taking people at their word.
  • Be wary of unsolicited postal mail and unexpected emails, especially if they are requesting an urgent action. Always verify unsolicited messages through a different means, such as a phone call or face-to-face conversation.
  • Refrain from opening links or attachments in emails from unknown sources.
  • Involve your manager if you have any doubts or concerns.
  • Do not use unknown or potentially compromised thumb drives that might contain malware.
  • Require ID badges to be worn; inconsistent enforcement allows a social engineer to merely say they

Summing up

Cybercriminals are becoming increasingly sophisticated, and health care is a prime target. Assess the security of your computer systems and enhance them as needed. Train your employees on an ongoing basis. Develop and practice contingency plans for these attacks. Given the scope and impact of the threats posed by modern cybercriminals, consider retaining outside security support as needed.

Ginny Adams, RN, BSN, MPH, CPHRM, is a senior risk consultant for Coverys, a medical professional liability insurance company. She has a background in critical care nursing, nursing administration, performance improvement, regulatory compliance, and risk management. 


PO Box 6674, Minneapolis, MN 55406

(612) 728-8600

follow us

© Minnesota Physician Publishing · All Rights Reserved. 2019