You know all about the security requirements of HIPAA, and you probably know at least something about cyber security, particularly if you are using or transitioning to an electronic health records (EHR) system. But, do you know about social engineering attacks, or how to spot an attempt at phishing? Does your staff?
What is social engineering?
Social engineering has two meanings: one is related to public policy, which, arguably, doesn’t have too much impact on chiropractic offices, and the other is related to information security. When a criminal manipulates a person in order to learn confidential information, it is social engineering—and that can pose a legitimate threat to your practice.
All sorts of people are vulnerable to social engineering attacks; this is not something that only happens to the gullible or unprepared. These attacks are designed and carried out in such a way that victims have no idea at all they are being attacked. According to SearchSecurity.com, a leading information security site, social engineering is “a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.”
What are social engineering attacks?
Social engineering is part of the vast majority of scams. People are helpful, sometimes vain, and can be frightened. Scammers use facets of human nature to find out what they need to know in order to carry out their crime. For example, if a scammer wanted access to your network, he or she may call and claim to work at one of the insurance companies you regularly bill. They may describe an urgent problem and appeal to the person in charge of billing in your office for help.
That is simply one type of social engineering attack—and a particularly successful one, all too often. Here are several other types of attacks:
- Baiting—In this case, the scammer may leave something, such as a CD, a USB drive, or some other item that can be plugged in, that is loaded with malware.
- Phishing—Most people are familiar with phishing, as it has become a major problem, especially for senior citizens. The scammer will send an email, sometimes disguised so that it appears to be from a legitimate source, with the goal of getting the recipient to click a link that will automatically download malware. They may also be trying to get the recipient to reveal personal or financial information.
- Pretexting—The example above, where a scammer calls seeking help with an “urgent problem” is a form of pretexting. Lying in order to gain access to information is pretexting.
- Tailgating—This is when a scammer follows someone who is authorized into a secure area of a network and gains access. In other words, they sneak in while the virtual door is open.
These are the main types of social engineering attacks, all of which you and your staff should be most wary about.
How can I avoid these kinds of attacks?
The United States Computer Emergency Readiness Team (US-CERT) offers several tips on how to avoid becoming a victim of an attack:
- Be wary of phone calls, emails, and other messages. Try to always verify the person’s identity directly with the company or organization they claim to be associated with.
- Do not click links in emails or reveal any financial or confidential information via email.
- Look closely at website URLs. Scammers will often leave one letter out of the name of a legitimate company or organization or use some similar tactic that would not cause immediate alarm.
- Try to verify any emails that seem suspicious by calling the companies or individuals they are from.
You should also take advantage of any anti-spam, anti-phishing, firewall protections, or other security measures provided by your EHR software vendor and/or Internet service provider. Email filters are a great tool, as well.