Hospitals play an absolutely fundamental role in delivering critical health and social care services. IT security in hospitals and healthcare facilities needs to be comprehensive, protecting not only IT assets but also staff and patients from cyber-attacks, cyber-incidents and vulnerabilities in software and medical devices.

Common attacks in healthcare span malware, tampering with devices, social engineering, denial of service and theft. In this new series of blog posts we look at vulnerabilities in IT systems from technical, organisational and social perspectives.
What's more, these various types of attack do not always occur separately from each other. For example, attacks like social engineering are often used to better understand the target organisation, i.e. as reconnaissance attacks. It is also very important to note that the main stakeholders affected are patients and hospital staff, medical and non-medical. In some cases, manufacturers (e.g. of medical devices) are also affected as the equipment they produce is deemed vulnerable to cyber security attacks. 

For hackers, a good understanding of the target can be the first step not only for tampering with or stealing medical devices but also attacks based on the use of malware, e.g. ransomware. Attacks like denial-of-service can also be combined with attacks like social engineering. 

In this blog, we focus on social engineering attacks on hospital staff, which is the human-side of hacking. 

These attacks typically target information gathering, committing fraud and gaining access to IT systems. If hackers are planning a follow-up attack, they may install malware on a computer in the targeted organisation

There are two types of social engineering attacks:
1. Human-based social engineering: gathering of sensitive information by person-to-person interaction exploiting human characteristics like trust, fear or helplessness. 
Examples include pretexting, eavesdropping, shoulder surfing, tailgating and dumpster diving. 
2. Computer-based social engineering: this is done with the help of computers. Examples include phishing and baiting. 

Real-world attack: UWMedical hospital in Seattle. The attack gave hackers access to the medical records of 90,000 patients. 

How did it happen? An employee opened an email attachment containing malware. The malware tool control of the computer, which had patient data stored on it. 
It is not known if the affected email has a spoofed sender address, which is an email address that looks familiar. Such addresses increase the likelihood of an email being opened. 

What is typlically affected by social engineering attacks and why does it matter? 

  • Information about patients, e.g. medical records.
  • Information about staff.

The attack at the hospital in Seattle included sensitive information like patient names, medical numbers, demographic data like addresses and phone numbers, dates of service, charge amounts for services, social security numbers and dates of birth. Protecting this valuable information is crucial for the safety and wellbeing of patients as it can easily be misused. 

Equally important, hospital staff not aware of the risks increase the success rate of social engineering attacks.

Other assets affected: networked medical devices; networking equipment; identification components; client devices; clinical networked information systems; data centre.

Critically: High because of the broad range of follow-up attacks possible after a successful social engineering attack. 
Likelihood: High because this type of attack has become a pivot point in the healthcare context. People are considered a particularly weak link in an organisation's security chain. It is therefore important to increase security awareness amongst hospital staff.