Do you have any experience with Social Engineering? Sun Tzu was quoted as saying “If you know the enemy and know yourself, you need not fear the results of a hundred battles”. Social Engineering (SE) has not really been fully understood. There are many different opinions on what exactly SE is. Some think it’s nothing more than scamming and lying, and in truth, it is. However…that’s what crooks are. They are liars and scammers. Don’t you want to be prepared for them instead of denying social issues can ever happen to you?
You want SE experience if:
- You have been tasked to make sure your practice is as secure as possible
- You want to identify what holes are open in your practice
- You need to be sure your practice is not vulnerable to social crimes.
Social Engineering is not good or evil. It is simply a tool that has many different uses. It is used by every day people in every day situations. Want a raise? The way you navigate getting that raise can be considered social engineering. Unfortunately, it is used by criminals to get you to give up valuable sensitive information. Wikipedia describes it as “the act of manipulating people into performing actions or divulging confidential information.” While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or even computer access. Have you ever heard of anyone getting that call from Microsoft and they need to get into your computer?
Although no one wants to be a scammer, sometimes, in order to protect your practice, you have to think like one. A good exercise would be to have someone walk into your practice, and have them see how far they get. Have they gone into your clinic? Can they grab PHI and walk out the door? I once walked directly into a practice, waved at the front desk, they buzzed me in, and I walked around the clinic until finally, someone said “who are you?” I kindly explained my social engineering, and the staff was trained on what to do when unidentified people enter the practice. No harm done.
Another test I have performed is to go to a satellite office of my clients, and stop by the front desk and said “I am with the IT department, can I use your computer.” No questions asked, the user got up from her seat and I was easily able to sit down and search for all the information I wanted. As a matter of fact, she took the opportunity to go on “break” while I was at her desk, leaving me alone to do whatever I wanted. Needless to say, the practice has been trained on how to handle people coming in and saying, “I am from IT, or I am the copier vendor, etc.”
If you have not had any experience with social engineering, you really should. It’s a great way to think through some of the holes you have in your practice. It’s also a great way to protect yourself against inadvertent data breaches. For more information, contact Tier3MD.
Tier3MD is a medical IT support group, headquartered in Atlanta, GA.