This week I’ve been reading Kevin Mitnick’s classic book “Ghost in the Wires” on the recommendation of our Senior Director of IT. The book itself is an awesome read, though it’s fair to say the memoirs of Kevin’s social engineering attacks are chilling for anyone tasked with safeguarding patient data.

What’s truly amazing about Kevin’s exploits is that many of them still work today. All that is needed is a well-prepared con-man who has taken the time to research your company so that they can present themselves correctly with the right story, and “hey presto” some percentage of your staff will give out their usernames and passwords without a second thought.

It really is that easy.

How do you protect against this kind of exploit? The simple answers are education and practice.

The education component should be carried out by your Chief Privacy Officer with all staff attending regular training sessions, as well as receiving reminders via email and placards on the walls. In essence, this is a hand washing campaign where you are trying to encourage highly intelligent people to pay attention to one often overlooked aspect of their behavior.

The practice component is best performed using an automated phishing tool that allows you to “set and forget” regular realistic attacks and collects information on staff who fall for the scam so that they can be retrained.

One great tool for setting up practice runs is KnowBe4. This tool allows you to create a fully automated phishing campaign in a matter of moments, then displays detailed statistics showing which users opened the email, who clicked on any links, replied to the email, downloaded an attachment, ran the attachment, and so on. The magic of this tool is its simplicity – it takes moments to setup and it produces realistic results that really make people think twice before they click.

The third layer of defense is to engage a security company for at least an annual vulnerability assessment. I’m preferential to a company called NopSec because their pentest team takes their mission very seriously and leaves no stone unturned.

There’s a lot more that can be said about phishing, but I want to leave you with one important message. Phishing in health care is analogous to infectious disease. Proper sanitary practices are the answer. When people start to think about their habits seriously and are appropriately trained and drilled in how to deal with this problem the threat surface is greatly diminished.

Cartoon courtesy of








2 thoughts

  1. Education is key. When people are well-informed about best practices, and kept up to date on the latest scams, they will be less likely to fall victim to a phishing scam. Emphasize the high points: don’ t click on links from unknown senders, don’t reply to “Urgent”-seeming messages before verifying the identity of the sender.. Also, it would be interesting to see data on which industries are the biggest targets. What do scammers look for in a target?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s