The guidance comes from a report entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” from the US Department of Health and Human Services and its advisory group. It includes information social engineering and healthcare. See the report here.
The information will seem basic to many IT security professionals, but it’s likely helpful to many healthcare organizations, which have proven disturbingly vulnerable to cybercrime. “(S)ocial engineering techniques include an attacker leveraging trending events (e.g., the COVID-19 pandemic) or a high-profile social or political event (e.g., a local election). Another trick attackers use is sending emails, calls, or flyers to claim free tickets or other giveaways items, such as free healthcare IT services. The attacker may send several emails to establish a level of trust, convincing the victim to reveal personal data, such as their personal email or place of employment. The attacker may even impersonate the user, call an IT help desk, and attempt to reset their password. The attacker can then use information to reset passwords by using easily discoverable personal information available through various data sources. For instance, the question ‘What high school did you attend?’ can often be found in public data records, social media posts, or a blog.”
The report does include some alarming information on the potential impact of social engineering and other attacks on healthcare organizations and their technology.
For additional information cybersecurity and the health sector, check out Health-ISAC (Information Sharing and Analysis Center).