What is Social Engineering and Why Healthcare is Vulnerable
by Rick Kuwahara CMO of Paubox
Social engineering is the art of manipulating human psychology for one’s own gain, has been prevalent throughout history, but has scaled massively in recent years thanks to the internet and email.
According to HealthData Management, only 1% of cyberattacks in 2019 exploited a hardware or software vulnerability; 99% utilized some form of human intervention.
Cyber hackers employ social engineering techniques to attack an organization at its weakest point, its employees, which is why understanding the terminology is the first step in stopping its use.
Recognizing social engineering scams
Hackers use social engineering techniques to interest, entice, and trap, which is why identifying a malicious email is key.
Such emails will:
- offer something too good to be true
- come from a knowledgeable ‘unknown’ coworker or ‘unknown’ boss
- be personally tailored but from an unfamiliar person
- demand you learn more by clicking a link, opening an attachment, or visiting a website
Ask yourself key questions about the email and its sender. Do you know the sender? Did you expect the email?
Do not blindly click. Pause, consider, and if necessary, block and report.
Why is the healthcare industry vulnerable?
We have all heard horror stories about phishing and spoofing system-wide attacks due to the negligence of a single employee.
The wrong mouse click can cause a disastrous domino effect, at best shutting a system down temporarily, whether or not a ransom is paid, or at worst, exposing sensitive data and creating a larger, more dangerous problem.
Targeting the healthcare industry, with its wealth of personal patient data, is a practical option for cybercriminals, demonstrated.
The significance of protected health information, along with the industry’s unfortunate use of legacy devices and notoriously overworked employees, sets the industry as a prime target.
Strong cybersecurity includes employee awareness training
A solid cybersecurity program must utilize employee awareness training along with secure offline backup, multi-factor authentication, and email security software.
Training must include a review of all existing processes and policies. Every procedure should be practiced and learned.
Training should be detailed and thorough, then updated and repeated.
Keeping cybersecurity people-centered is necessary to turn the weakest security link into a strong asset, derailing cybercriminals desires to use social engineering tactics in the future.