Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

3 min read

HHS: Social engineering and healthcare

HHS: Social engineering and healthcare

According to the US Department of Health and Human Services (HHS), social engineering is the manipulation of human psychology for personal gain, often resulting in data breaches and significant threats to the health sector. 


What is social engineering?

Social engineering involves psychological manipulation to deceive individuals and gain unauthorized access to sensitive information. It is a tactic employed by attackers to exploit the natural inclination of people to trust and assist others. Social engineers can manipulate staff members into giving access to their computers, routers, or Wi-Fi, leading to the theft of protected health information (PHI) and the installation of malware.

Read more: What is social engineering? 


Phases of a social engineering attack

There are different phases involved in social engineering attacks:

  • Reconnaissance: The attacker gathers information about the target, this information helps the attacker create convincing messages or scenarios.
  • Phishing: Phishing is one of the most common social engineering attacks. It involves sending fraudulent messages to trick individuals into revealing sensitive information or deploying malicious software onto their devices.
  • Exploitation: Once the attacker has gained access to sensitive information, they exploit it for their own gain.

Related: What is a phishing attack? 


Types of social engineering attacks

Social engineering attacks come in various forms, each with its own methods and objectives:



Phishing is a social engineering attack where the attacker sends fraudulent messages to trick individuals into revealing sensitive information or installing malware. These messages often appear to come from legitimate sources, such as banks or healthcare organizations, and prompt recipients to click on malicious links or provide personal information.



Vishing, or voice phishing, involves defrauding individuals over the phone. Attackers use social engineering techniques to entice people into divulging sensitive information. 


Business email compromise (BEC)

BEC is a social engineering attack where a threat actor sends an email to their target, posing as a trusted source. The goal is to scam a business or defraud a company by tricking individuals into interacting on the threat actor's behalf.


Deepfake software

Deepfake software combines voice cloning and video manipulation, allowing anyone to take on the identity of a trusted persona. This technology can manipulate individuals and deceive them into revealing sensitive information.



Whaling is a phishing attack that targets senior executives. Attackers send fake emails masquerading as legitimate messages to trick high-level individuals into revealing sensitive information or performing actions that benefit the attacker.

Go deeper: 


Why is social engineering a problem for healthcare?

Social engineering poses significant challenges to the healthcare industry due to several factors:



Patients in healthcare settings naturally trust medical professionals to protect their sensitive information. 


Desire to help

Healthcare professionals desire to help others, making them more vulnerable to manipulation by social engineers.


Desire to look intelligent

The healthcare industry attracts individuals who strive to be knowledgeable, which can make them more susceptible to social engineering attacks that exploit their desire for recognition.


Fear of getting in trouble

Employees in the healthcare industry may be afraid of making mistakes or facing disciplinary action, making them more likely to comply with the requests of social engineers.



In high-pressure healthcare environments, some employees may take shortcuts to save time or meet deadlines, inadvertently creating opportunities for social engineers to exploit.


Steps to protect your organization

Protecting your organization from social engineering attacks requires a multi-faceted approach. Here are some steps you can take to enhance your organization's security:


Implement backups

Regularly back up your data and ensure the backups are secure and easily accessible in case of an attack.


Regular software updates

Keep all software and systems up to date with the latest patches and security updates to protect against known vulnerabilities.


Rollout sensible restrictions

Implement strong access controls, including two-factor authentication, to limit unauthorized access to sensitive information.


Proper credential tracking

Implement robust identity and access management systems to track and manage user credentials effectively.


Training staff

Provide regular training and education to employees to raise awareness about social engineering tactics and how to identify and report potential threats.


Verify all requests

Instruct employees to verify any requests for sensitive information or actions, especially if they seem unusual or come from unfamiliar sources.



Make security a shared responsibility across all departments and ensure everyone understands their role in protecting sensitive information.


Increase physical security

Implement physical security measures, such as access controls and surveillance cameras, to protect sensitive areas and prevent unauthorized access.


Hire a consultant

Consider engaging a cybersecurity consultant to assess your organization's security posture and provide recommendations for improvement.


Take advantage of resources

Leverage resources provided by industry organizations and government agencies to stay current on the latest cybersecurity best practices and threat intelligence.

See also: HIPAA Compliant Email: The Definitive Guide 

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.