Healthcare institutions are a constantly changing ecosystem of people on the move, including internal employees, patients, visitors, and contractors, intermixing throughout the day. This makes healthcare institutions particularly vulnerable to the practice of social engineering, or people pretending to be someone they are not. These methods are employed by bad actors who are trying to gain unauthorized access, with the intent of, for example, exploiting medical records. Let's look at some best practices on how to combat social engineering.
A social engineer is trying to blend into the environment and gain the trust of anyone who interacts with them. One of the easiest disguises to obtain is a pair of scrubs, easily ordered online. Who's not to be trusted in a pair of scrubs? In a busy clinical environment, it may be hard to scrutinize the name tag of everyone moving through the hallways, especially in the controlled chaos that can happen around a code event or emergency arrival.
Another common disguise is an IT worker. People in IT primarily work behind the scenes and may not be immediately identifiable by clinical coworkers. When IT members are visible, they are often addressing an urgent event, such as a systems failure. The language used by the IT community is not readily understood by most laypeople. This creates the possibility of a bad actor presenting a false urgent situation and confusing someone into giving them access.
How can technology help?
A bad actor starts with zero access and makes probing efforts to increase their range. A natural starting point is to create a fake ID. If someone asks to be logged in or allowed access, even if that person produces a legitimate-looking ID, this is a red flag. "Smart cards" are cards that are unique to individual providers and securely allow access to systems and patient records. Using smart cards systemwide eliminates any need for outsider access. Each individual would have personal credentials. It would be highly risky to grant anyone else access with a personal card because the login responsibility would fall on the card owner.
Biometric facial recognition software can be employed to identify and track unknown personnel. Facial recognition can be recorded as a one-time "registration" done at a kiosk and can be a fully automated system that will not burden staff. Machine learning can identify when an unknown person is in a restricted location or performing an activity that raises suspicion. This would make it easier to detect and intervene.
Data breaches happen every day in healthcare. As healthcare systems tighten IT security from external attacks on the internet, stolen data will become more valuable and hackers may have to resort to new methods. Awareness will help us defend against bad actors using social engineering tactics.