Social engineering attacks typically affect both IT and non-IT assets. IT assets span networked medical devices, networking equipment, identification components, client devices, clinical networked information systems, enterprise information systems, the data centre. In terms of non-IT assets, these attacks may gain access to information about patients, e.g. electronic health records, staff, and buildings. Information can easily be misused with access to these assets. Social engineering is the human side of hacking and would not be possible without hospital staff playing a role.
Cascading effects. Social engineering attacks have a high criticality because of the broad range of follow-up attacks possible. Successful attacks can lead to the compromise of sensitive information by means of a malware attack. Patient data and health records, as well as financial information, may be the target. A successful attack in smart hospitals, which have intensely connected information systems and devicescould jeopardise a big part of the infrastructure. Attackers with a good understanding of the target may facilitate not only tampering with or theft of medical devices but also attacks based on the use of malware, e.g. ransomware. Attacks like denial-of-service can also be combined with attacks like social engineering.
Recovery time and effort. Time and effort depend a lot on the attacker's activities after a successful social engineering attack. Recovery time is more manageable if detection and reaction happen quickly. However, some attacks may be persistent and remain unnoticed for a long time.
Good practices for hospital IT teams and their senior managers. Key measures related to social engineering attacks include:
- Training and awareness raising. Proper investments should be made in staff training with frequent refreshers as this is by far the most important way to protect against social engineering. Awareness for social engineering in particular and information security in general is essential.
- Policies and Procedures. These can also help reduce the risk of becoming a victim of a successful attack. For example, clear policies on request verification, the use of social media and the reporting of suspicious people or situations.
- Security organisation. Clear roles and responsibilities are important to avoid and quickly respond to social engineering attacks.
- Audits. Social engineering penetration tests may be particularly effective to create awareness of threats.
Key take-away. Anyone, even security professionals, can be victims of social engineering attacks. These types of attack will continue unless hospitals create a conscious interface between humans on the one side and devices on the other.