This week I’ve been reading Kevin Mitnick’s classic book “Ghost in the Wires” on the recommendation of our Senior Director of IT. The book itself is an awesome read, though it’s fair to say the memoirs of Kevin’s social engineering attacks are chilling for anyone tasked with safeguarding patient data.
What’s truly amazing about Kevin’s exploits is that many of them still work today. All that is needed is a well-prepared con-man who has taken the time to research your company so that they can present themselves correctly with the right story, and “hey presto” some percentage of your staff will give out their usernames and passwords without a second thought.
It really is that easy.
How do you protect against this kind of exploit? The simple answers are education and practice.
The education component should be carried out by your Chief Privacy Officer with all staff attending regular training sessions, as well as receiving reminders via email and placards on the walls. In essence, this is a hand washing campaign where you are trying to encourage highly intelligent people to pay attention to one often overlooked aspect of their behavior.
The practice component is best performed using an automated phishing tool that allows you to “set and forget” regular realistic attacks and collects information on staff who fall for the scam so that they can be retrained.
One great tool for setting up practice runs is KnowBe4. This tool allows you to create a fully automated phishing campaign in a matter of moments, then displays detailed statistics showing which users opened the email, who clicked on any links, replied to the email, downloaded an attachment, ran the attachment, and so on. The magic of this tool is its simplicity – it takes moments to setup and it produces realistic results that really make people think twice before they click.
The third layer of defense is to engage a security company for at least an annual vulnerability assessment. I’m preferential to a company called NopSec because their pentest team takes their mission very seriously and leaves no stone unturned.
There’s a lot more that can be said about phishing, but I want to leave you with one important message. Phishing in health care is analogous to infectious disease. Proper sanitary practices are the answer. When people start to think about their habits seriously and are appropriately trained and drilled in how to deal with this problem the threat surface is greatly diminished.
Cartoon courtesy of http://www.drivers.com/update/security-backup/tips-avoid-email-phishing-scams/