It Can Happen To You | Social engineering in Healthcare
Phishing, spoofing, dumpster diving, shoulder surfing, role play… You name it! Many companies think they have the right technology in place to face these social engineering attacks. But, guess what…
It can happen to you too! One single inattentive End User can cause a data leak and ruin your systems and reputation. We’ve been doing ethical hacking for 20 years now. And, we’ve put it to the test. Let me share some true stories with you.
Healthcare, an easy victim
The first story I want to share with you is about a hospital. The IT department, together with management, asked us to perform some acts of social engineering to test how their End Users would react.
A hospital is a very open institution. Everyone can enter and leave without really getting noticed. So, what did we do?
In most hospitals, the employees enter rooms by using their badges. This hospital wasn’t any different. So, we did some online research on their badge supplier. We made our own business cards, shirts and T-shirts using the logo of that supplier. And then, we went to the hospital with a very cheap badge-reading tool we bought online. It was a tool we attached to the badge readers of the hospital itself. And, from our laptops, we could read all the information that was being scanned.
So, as we were there, pretending we were supplier X trying to fix the urgent problem, we asked the employees if we could scan their badge to do some testing. Each time we scanned, we got more information. Information that made it possible to create copies of their badges. More than 50 employees let us scan their personal badge!
Then, there was one attentive guy who asked us why we were there because he thought we would come in 2 weeks for the new building. We said we came earlier because of some urgent problems and he went to get the electrician. We started some small talk to take away any form of distrust and we asked him if he could take us to the system where all information from the badge readers arrives. We went to that room and got to take pictures of all the devices that were in there!
Let’s steal some personal data
Another healthcare story. I went to the hospital during visiting hours. A lot of the staff were eating together in their coffee rooms having a chat. That worked out fine for me. Fewer people to worry about…
I went into an empty room. I guess the patient was away for a walk or something because his personal belongings were still there as well as his … patient file! BINGO!
I got to take pictures of all the details that were on there. I got to know the name of the patient (let’s call him John Smith), the name of his family doctor and more.
Then I went for another walk to see what else I could find. Another BINGO: the doctor’s office was abandoned and I could just walk in. And: JACKPOT. I couldn’t believe it. His computer wasn’t locked and I was able to take pictures of a list with patient data. Then, I went back to my car and drove home.
The day after, I decided to take it to the next level. I called the hospital to ask the nurse for more information about my ‘father’ John Smith. ? She passed his doctor. I said I was worried about my father, and asked for details on his health. “He has to take a lot of medication etc. Which medicines does he exactly take?”, I asked.
The doctor gave me the entire list of medication he was on. How about passing sensitive data!! (cfr. GDPR)
These are just some examples of how easy it is for hackers to get access to sensitive data. And this is just the beginning. If personal data gets into the wrong hands, the impact can be immense and some real damage can be done. It is therefore very important to train your End Users to be aware of the dangers of social engineering and the potential impact it can have on their company.
SecureLink Belgium, together with ZIONSECURITY offers an interactive End User Security Training Program which can include:
- Simulated attacks
- Knowledge assessments
- Mystery visits
- Phone Phishing, email-phishing, CEO phishing, USB phishing, spear-phishing,..
- On premise user awareness sessions
- Online user awareness training tracks
- Insider threat programs
Share the post