As the electronic health record (EHR) becomes more prevalent, users including health care workers, insurers, health care organizations, and public health officials become increasingly dependent on them. The need to maintain the security of the information contained in EHRs therefore is imperative for the protection of patient privacy and to prevent the occurrence of fraud. Security practices have traditionally emphasized methods such as secure passwords, firewalls, and encryption. There has been increasing awareness of persons trying to obtain unauthorized information, not through traditional practices that attempt to break through these barriers, but through social engineering.
Social engineering is a non-technical technique in which an unauthorized person is able to influence another person through various methods of communication. The goal is to manipulate their target into providing them with protected information, or inducing them to perform an action that will later assist them in obtaining this information. Social engineers are very familiar with human behaviors and are often able to persuade others by taking advantage of people’s inclination to want to be helpful and trusting of others. Often social engineers will incrementally obtain pieces of information that may not at first glance seem to be useful, such as the names of employees or administrators, organizational structures, vacation schedules, and policies and procedures. By using this information however, they can impersonate an employee or administrator of a business, either in person, or by telephone or email. Once they are accepted as legitimate, they can create a fictitious scenario in which they con their target into revealing information such as a password or PIN. In other cases their targets can be tricked into accepting a downloaded file which might install malicious software such as a Trojan horse or keystroke logger.
Another non-technical way in which social engineers can obtain information is so called dumpster diving, in which valuable information is obtained by going through the garbage. In this manner, new and expired passwords, organizational charts, calendars, directories, and even discarded disk drives have been found. These objects can provide the social engineer with useful information or can be used to become familiar with the organization in order to obtain more secure information. “Shoulder surfing” is another method in which someone is able to learn someone’s password or PIN by watching them enter it into a computer or keypad.
Organizations can successfully overcome attempts at social engineering. Having well thought out security policies and procedures is an essential first step. These policies must be explicit in what is expected of all organizational members, including administration. These policies should address restricting access of unauthorized personnel, use of ID badges, how to handle request for information, and what information may and may not be given out. Policies for handling discarded items need to be spelled out. Sanctions imposed on those not adhering to these policies must be clearly delineated and carried out as described.
Policies describing what to do when an attack is suspected also need to be developed. New employee training must include an appropriate amount of time going over these policies and procedures. This information must be reinforced regularly at mandatory review sessions. Those most likely to be approached by a social engineer are help desk personnel, since it is their role to provide help on demand. These employees need special training and need to be aware of social engineering techniques so they can be identified and reported. A culture of security needs to be developed and nurtured through regular communication, newsletters, reminders, security focused activities.
- Granger S; Social Engineering Fundamentals, Part I: Hacker Tactics; ;
- Granger S; Social Engineering Fundamentals, Part II: Combat Strategies; 
- Imperva ADC White Paper; Consumer password worst practices; The Imperva Application Defense Center; January 2010; 
Submitted by Eric Kardon