Social Engineering Techniques and Password Security: Two Issues Relevant in the Case of Health Care Workers

Social Engineering Techniques and Password Security: Two Issues Relevant in the Case of Health Care Workers

B. Dawn Medlin (Department of Computer Information Systems, Walker College of Business, Appalachian State University, Boone, NC, USA)
Copyright: © 2013 |Pages: 13
DOI: 10.4018/ijcwt.2013040104

Abstract

Due to the Internet and applications that can access the Internet, healthcare employees can benefit from the ability to view patient data almost anywhere and at any time. Data and information is also being shared among third party vendors, partners and supplies. With this type of accessibility of information which generally does include very personal information such as diagnosis and social security numbers, data can easily be obtained either through social engineering techniques or weak password usage. In this paper, a presentation of social engineering techniques is explored as well as the password practices of actual health care workers.
Article Preview

Introduction

A patient’s personal information, such as address, phone number, and social security number, are all items that may be included and accessible to some or all healthcare employees. PHR (Personal Health Care Records) are available to many who neither touch or need access to patient’s health care informtaitno. Volume of, and access to patient’s health care make them more vulnerable to security breaches, theft, and social engineering attacks. Both hackers and social engineers have successfully found ways to circumvent networked health data systems by simply asking for the information or by finding weaknesses within the system.

Certainly one of the the largest threats to a healthcare systems security may not be outsiders, but rather their own employees. Internal employees actually can pose the largest threat to the security and privacy of information as they can exploit the trust of their co-workers, and they generally are the individuals who have or have had authorized access to the health care organization’s network. As well, they are generallyfamiliar with the internal policies and procedures of the organization. Additionally, internal employees can exploit that knowledge to facilitate attacks and even collude with external attackers (http://www.hhs.gov/news/facts/privacy.html). These standards, as listed below, include management processes, user education and training, and access control:

  • Security Management Process [161.308(a)(1)] Healthcare organizations must show that they have a consistent set of internal processes, with implementation that is widespread and institutionalized. Processes range from establishing criteria for who has access to what, and who can request certain resources; to ensuring that access rights are revoked immediately upon employee termination;

  • Security Awareness and Training [161.308(a)(5)] HIPAA requires that staff members be trained and educated concerning the proper handling of PHI. This basic-level security training should include measures such as password management;

  • Access Control [161.312(a)] HIPAA security regulations require a definition of who has access to PHI within the organization, as well as the rules determining an individual’s right of access, and the reasons for denying access to some individuals.

Despite its legal requirements, however, HIPAA standards as well as healthcare security policies are not always followed. As an example, and according to one report, over “870,000 medical records were exposed in data breaches in just the first quarter of 2013. According to this site, medical data breaches have become a source of chronic pain for healthcare organizations” (http://www.experian.com/blogs/data-breach/2013/05/01/medical-data-breaches-a-source-of-chronic-pain).

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 9: 4 Issues (2019): Forthcoming, Available for Pre-Order
Volume 8: 4 Issues (2018): 3 Released, 1 Forthcoming
Volume 7: 4 Issues (2017)
Volume 6: 4 Issues (2016)
Volume 5: 4 Issues (2015)
Volume 4: 4 Issues (2014)
Volume 3: 4 Issues (2013)
Volume 2: 4 Issues (2012)
Volume 1: 4 Issues (2011)
View Complete Journal Contents Listing