This message comes from Ballad Health’s IT team. Here’s a mock scenario in which someone is victimized by a cybercrime due to information provided on social media.
Suzie lists her place of employment on Facebook. She hasn’t enabled privacy features, so her personal profile is visible to the public. She hasn’t considered the connection between her public profile and her clinic.
George knows that protected health information (PHI) or personal identifying information (PII) will fetch a fantastic price, so George is on the hunt for a healthcare employee to exploit. He sees on Suzie’s profile that she works at a medical clinic. He also sees Suzie’s post that she’s on vacation in The Bahamas.
THE HACK
George calls the clinic, and Patti answers.
George: Hello, I’m William Lyons, and I’ve been working with Suzie on quoting a new backup server for the clinic. Is she available?
George doesn’t know if the clinic has a server or if they use an electronic medical record (EMR) system; however, he can spin a story about how Suzie is looking into getting a backup server. Social engineers are con artists. They can spin a story until they get what they want or hit a roadblock and move to an easier target.
Patti: No. She’s currently out of the office, but I may be able to help you.
George: Ok, great! This server is in addition to what your IT organization has in place. It helps ensure your systems stay up and running even if there is a power outage. If you could grab some information that I forgot to get from Suzie, I could get this quote finished and over to Suzie. Can you help me?
Patti: Sure. What do you need?
George: Can you remotely access the server for me?
Patti: No, but I can talk to someone in the office and get some information for you.
George: Great! What is the operating system, and what is the application version the server is running?
Patti places “William” on hold and collects the information. George then gives Patti a website to visit and connect into. What she doesn’t know is this website will give George access to the clinic’s system and the ability to be on the clinic’s network. Now that he has access to the server, George can infect it with malware and steal the clinic’s information.
Don’t Take the Bait
How to avoid this outcome: Patti should have never offered to help “William” in this way. She should have asked him for his contact information and indicated that she would forward his request to the appropriate team(s) so it could be properly assessed and addressed.
Team members should never provide information to anyone unless they are authorized to do so. The best advice is STOP, THINK, CHECK, AUTHORIZE.
Our cybersecurity campaign
We must stay alert if we are going to protect our organization, our data, our patients and each other, and one of the best ways to stay prepared is through education.
This fall, Ballad Health launched “Don’t Take the Bait,” a coordinated cybersecurity campaign. In the coming weeks and months, this cybersecurity campaign will consist of Ballad Health News and Ballad Teams articles, videos, tips and quizzes. Be on the lookout for how you can learn more about cybersecurity risks and what you can do to support our efforts in data protection.
