Healthcare Employees and Passwords: An Entry Point for Social Engineering Attacks

Healthcare Employees and Passwords: An Entry Point for Social Engineering Attacks

B. Dawn Medlin (Appalachian State University, USA), Douglas May (Appalachian State University, USA) and Ken Corley (Appalachian State University, USA)
DOI: 10.4018/978-1-60960-777-7.ch004
OnDemand PDF Download:
No Current Special Offers


The healthcare industry has benefitted from its employees’ ability to view patient data, but at the same time, this access allows for patient’s healthcare records to be easily captured or stolen. Although access to and transmission of patient data may improve care, increase delivery time of services, and reduce healthcare costs, security of that information may be jeopardized due to the innocent sharing of personal and non-personal data with the wrong person. Through the tactic of social engineering, hackers are able to obtain information from employees that may allow them access into the hospitals networked information system. In this study, we simulated a social engineering attack in hospitals of varying sizes with the goal of obtaining employees passwords. If employees are willing to share their passwords, serious questions and concerns about the state of employee security awareness within the healthcare system must be raised.
Chapter Preview


The electronic accumulation and exchange of personal health information has been promoted as significant benefits to healthcare consumers and providers. Many healthcare policy experts believe that broader health information technology adoption may lead to the availability of more complete and transparent information, ultimately helping to contain healthcare costs while simultaneously improving healthcare quality.

But with this availability of information comes the opportunity for more fraudulent activity such as social engineering attacks. According to Thornburgh (2004) social engineering has gained profound acceptance in the information technology community as an effective social and psychological tool for exploiting the IT security mechanism of a target organization. For many social engineers the process of obtaining meaningful information may lead to the insight of the organization’s security policy, the countermeasures the organization has put in place and specifics relating to personnel and their level of security privilege.

Complete Chapter List

Search this Book: