Threat Agents and Manipulation of Computer and IT Users
Threat agents can directly or indirectly manipulate computer and IT users into voluntarily doing something that is unethical or illegal. This is not a problem for healthcare facilities to take lightly. Research shows that social engineering attacks happen frequently, and can impact an organization negatively. Studies reveal that many corporate employees are poorly equipped to withstand social engineering.
During a social engineering attack, predators use deceptive tactics to coerce a target company’s employees into disclosing protected information or into giving access to systems that contain sensitive information and data. Methods of this include targeted phishing emails, as well as landing pages used to collect information. Many email attachments exploit known vulnerabilities for the purpose of installing unauthorized software on the employee’s computer. Some common methods involved include phishing, viruses, malware, malicious code, and Web-based attacks.
Other methods of social engineering are as basic as an onsite visit or a phone call. According to experts, a social engineer can threaten employees making them think they are being investigated for wrongdoing. Also, that person or group can monitor social media postings of company employees for useful data, or find improperly-discarded sensitive company data by “dumpster diving.”
Loss of consumer and patient data can pose a problem to the hospital or healthcare facility. Patient and employee records could contain sensitive information, such as social security numbers, store or employee numbers, and more. This could be used for a secondary attack, as someone could impersonate another for financial or personal gain.
Avoid Being a Victim
Unless certain of a person or group’s authority, don’t provide personal information about your facility, such as its networks and structures. To avoid being a victim, you should:
– Be suspicious of phone calls, emails, and visits from persons asking about internal information or patient data. If an individual claims to be from a particular organization, call and verify that he or she is authorized.
– Don’t reveal financial or personal information in emails or phone calls. Also, don’t respond to solicitations for various data and information. This includes links that are sent via email.
– Pay attention to the website’s URL. Many malicious websites resemble the legitimate site, but they often use a different domain or variation in spelling of the organization’s name.
– Verify email requests before opening by contacting the company by phone. Also, don’t use contact information provided on the website that is connected to the request. Rather, check the previous statements for contact information.
– Install and maintain anti-virus software, email filters, and firewalls to reduce traffic and take advantage of anti-phising features that are provided by web browser and your email client.
If you suspect your organization is a victim, report it to the appropriate administrator in the facility. Also, if financial accounts are compromised, contact your financial institution and close accounts that were affected. Another important thing to do is to change passwords and monitor the system for signs of identity theft.