Threat #1 of the Top 5 Threats Facing the Healthcare Sector: Social Engineering

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

The HHS 405(d) Program is a collaborative effort between The Health Sector Coordinating Council (an organization representing the primary healthcare subsectors of direct patient care; public health; health plans and payers; pharma, blood and labs; medical technology; health information technology; and funeral homes and mass fatality managers) and the federal government to align healthcare industry security practices.

The 405(d)Task Group developed Health Industry Cybersecurity Practices: Managing Threat and Protecting Patients, its first official Task Group product and publication.  Health Industry Cybersecurity Practices are given the acronym HICP.

The Health Industry Cybersecurity Practices: Managing Threat and Protecting Patients document has identified the top five cybersecurity threats facing the healthcare sector.

Threat #1 is social engineering.

What is Social Engineering?
Social engineering is an attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks or taking an action (e.g., clicking a link, opening a document). Other sensitive information targeted by social engineering includes banking numbers, Social Security numbers, and other sensitive data used by a cyberattacker claiming to be someone they are not.

How Does Social Engineering Work?
In a common social engineering tactic called phishing, the cyberattacker sends the user an email with an active link or file (often a picture or graphic). The email appears to come from a legitimate source, such as a friend, coworker, manager, or company. 

When the user clicks to open the link or file, the user is taken to a website that may solicit sensitive information or proactively infect the computer. Accessing the link or file may result in malicious software being downloaded or access being provided to the information stored on the user's computer (or other computers within the user's network).

Social engineering attacks also appear as fraudulent messages are phone calls, claiming to be an important facility. In the past several years, these attacks have become much more sophisticated and personal. 

There are a number of phishing variations. These include:

Whaling
Whaling is a targeted phishing scheme directed at so-called whales - marine animals bigger than fish. What marine animal is bigger than a fish? A whale! Whaling attacks typically target CEOs, CFOs, COOs, or any higher-ranking officer in an organization. The email may state something to the effect that the organization is facing imminent legal consequences, and that the user needs to click on a link to get more information. The link takes the user to a page where the user is asked to enter critical data about the company, such as bank account numbers and tax id numbers.  even more targeted type of phishing that goes after the whales – a marine animal even bigger than a fish. These attacks typically target a CEO, CFO, or any CXX within an industry or a specific business. A whaling email might state that the company is facing legal consequences and that you need to click on the link to get more information.

Smishing
Smishing is a type of phishing attack that uses text messaging or short message service (SMS) to execute the attack. A common smishing technique is to deliver a message to a cell phone through SMS that contains a clickable link or a return phone number. The message informs the user that the user's account has been compromised and that the user must respond immediately. The goal of the attack is to get the user to respond by having the user reply to the "emergency" by giving up the user's bank account number, social security number, etc. Once the attacker receives the information, the attacker gains control of the user's bank account. 

VIshing
Vishing is a phishing scheme that uses voice calls. The attacker calls a user. The attacker claims that he or she is a representative from Microsoft or Apple or another software company. The attacker then informs the user that a virus or malware has been detected on a user's computer. The attacker informs the user that the user needs to install an updated version of antivirus or antimalware on the user's computer - for a fee, of course. The attacker instructs the user to provide credit card details, to "pay" for the new antimalware software.  What does get in return? The likely installation of malware on their computer. The attacker, meanwhile, gains access to the user's credit card information.

Email Phishing
Email phishing is the most common type of phishing, and it has been in use since the 1990s. In an email phishing scam, a hacker sends an email to any email address that the hacker can obtain, The email typically informs the user that the user's account has been compromised, and, surprise!, the user must respond to the email immediately by clicking on a provided link.

While phishing methods have grown more sophisticated in recent years, hackers' command of the English language has often not; an email phishing attack is often easy to spot as the email often contains spelling and/or grammatical errors. Some emails do not contain these errors. Checking the email source and the link the user is being directed to for suspicious language can give the user clues as to whether the source is legitimate.

Spear Phishing