Social Engineering in Action

All of us have routines at home and at the office. Routines are often done “on autopilot,” because we don’t have to think much about them. This might apply to a lot of the tasks you do every day like walking to the printer, sending a fax, email, or filing. However, from a privacy and security perspective, too much time in autopilot can crash your plane.

Here are two common scenarios where autopilot could cause a security incident.

A Phishing Attack

Your role involves reading and replying to emails that are sent from your practice’s “Contact Us” page. You’re rushing through these new emails first thing in the morning to get them out of the way. An email with the subject line “New Patient” has a link in it and the sender writes that you can download his completed new patient forms from his Dropbox account before his appointment next week. Wow. You’re so impressed that the patient is being proactive and saving you time, you forget that your practice doesn’t provide new patient forms on your website! You click the link, but it doesn’t take you to Dropbox. You’ve been phished!

Phishing emails use infected file attachments and links to fake websites that often look legitimate in order to gather personal or business information.

What do you do now? Report it immediately to your HIPAA Officer so that your IT provider can scan for and remove any malware and determine if any data has been lost. It’s also highly recommended that everyone updates their password.

Piggybacking and Tailgating

You are entering data from last week’s patient visits into the EHR. As you complete each patient summary, you drop the hard-copy into the empty box by your chair until you can take them all to the shredder when you’re finished.

The office is particularly busy today. Patients are booked back to back; there are repair contractors in the office; and other vendors are coming and going (document shredder, water cooler delivery, etc.) One of the vendors asks you where the restrooms are located. You leave your desk to show her.

When you return, you reach for the file you had just completed to be sure it’s correct and you realize the entire box of patient summaries is gone! While you were away from your desk, an unauthorized person stole the box of patient summaries undetected!

The thief took advantage of the busy office full of unfamiliar faces and piggybacked or tailgated behind an authorized person through the otherwise secure entry.

Piggybacking, also known as tailgating, is a common social engineering technique where a thief relies on the established routines and social norms of people to gain access to information or property.

Patient information should never be left in an area where an unauthorized person can see it or remove it from the office. Always shred documentation as soon as it is no longer needed, and never leave it unattended.

An important physical security measure is to ensure that you and your employees do not allow someone they do not know or who do not show appropriate identification to enter a restricted area behind them. It is second nature to hold the door, but not in these situations. Patients, vendors, and all other visitors should sign in when they arrive, be escorted in the office, and vendors should display their identification. Never prop open doors to restricted areas and be sure that doors completely close behind you. Broken locks and badge scanners should be reported and repaired ASAP.