Social engineering can be briefly defined as the obtaining of information through deceptive methods. The intention of the action is to acquire information that will be of use in order to gain access to a system or use of information obtained from the system. There are benefits gained by allowing health care workers access to patient data, but the ability to maintain security of that information may be compromised due to the accessibility. Using methods such as social engineering, health care workers may innocently provide sensitive information without realizing that they have participated in the process of deception. This chapter addresses the issue of social engineering used to obtain health care worker’s passwords, as well as the laws that govern health care workers in relation to the privacy and security of confidential patient information.
TopBackground
Social engineers have traditionally used the telephone as the mechanism to obtain information. But today’s social engineer is just as likely to approach an employee of an organization and act as though they need to obtain information in order to complete their job. Another method used by social engineers is to present themselves as an employee and act as though they are assisting others. Of course, depending upon the shrewdness and professionalism of the social engineer, not all attempts are successful.
If the social engineer is attempting to find out about one particular patient, they may target that person’s medical health record. A patient’s medical record may include gender, race, family history, sexual history including types of birth control, sexual activity and treatment, any history or diagnosis of substance abuse, and diagnosis of mental illness. Other medical information, such as HIV status, may also be included. The accessibility of this confidential information may open the door to various forms of discrimination. For instance, chronic diseases such as HIV and AIDS may result in an increase in insurance rates or even denial of coverage, due to the extensive medical treatment usually needed by these patients. Individuals may even be ostracized or stigmatized because of their disease type. Patients expect the information contained in their records to remain secure and private, to be seen only by those individuals whose access is medically or administratively necessary.
Unfortunately, patient’s medical records are being illegally accessed and often when a breach occurs, the incident is seen in the news. Table 1 represents recent security breaches of patient information ranging from occurrences that affected individual patients, to an occurrence that wreaked havoc on thousands of patients.