One advantage of running a small boutique consultancy is I get to steer the business activity towards subjects I personally find interesting. Throughout my career, I have always been fascinated with frauds and that is where my focus normally lies. It’s that magic-like performance for me that has a very similar feeling to the showmanship of great magicians. When you watch a magic… Read more →
The AntiSocial Engineer Limited is supporting the Yorkshire Cyber Security Cluster to announce the first annual Yorkshire Cyber Security Event taking place on the 12th May at the 3m Buckley Innovation Centre in Huddersfield. We will be talking about our recent research into SIM Swap Fraud and sharing tips on how to keep safe online, we are even providing the refreshments… Read more →
Often it’s the little security issues we overlook that hurt us the most. By: Brand BarneySecurity cameras? Check. Guards? Check. Locked doors? Check. Privacy monitors? Umm . . .When it comes to data security, many health organizations don’t always worry as much about the physical aspect. While many foundational security issues may have been addressed, organizations are likely to have overlooked details such asUnlocked office doors during the dayWindow blindsReception desksLack of screensavers and privacy monitorsTheft of devices/hardwareMalware in left-behind devicesPeople may think physical security only applies after hours. However, most data thefts occur in the middle of the day, when the staff is too busy with various assignments to look at the person walking out of the office with a server, company laptop, phone, etc.Organizations may also think data thefts are large events that take months of planning, looking like something from those heist movies. (Oceans 11, anyone?) However, most data thieves use simpler plans.The majority of physical data thefts take less than only minutes in planning and execution.TweetMalicious entities (hackers) strike quickly, take what data they can and leave with little to no trace. In this case, data thieves take advantage of the lack of physical security in healthcare organizations. Here are some issues that your organization may not have considered.Taking devicesThe main problem offices have with devices is a nurse and a client use the same type of mobile device, such as an iPad. A thief could walk in, take an iPad off the reception desk when no one was looking, and walk out, all within five minutes. Would you stop someone if they were walking out of your office with an iPad? Probably not, because you would assume it was theirs. But within a few potential minutes, that hacker has access to the network and whatever data or PHI is on that iPad. This type of theft can and does happen, and sadly it’s not limited to your office, hospital, etc. Many workforce members work long hours and take devices with PHI on them home, stopping at a grocery store or a child’s school on the way home from work. Theft is quite likely if a device is left alone and unsecured in or out of the workplace, and that breach can cause quite a bit of heartburn.See also: Balancing Mobile Convenience and PHI SecurityLeaving devicesYou don’t often think of thieves leaving something behind, but for hackers, an easy way to further the data heist is to leave behind malware. Here’s an example: A receptionist at a large hospital notices a flash drive was left on the desk. It’s labeled “HR,” so the receptionist decides to just drop it off at the Human Resources Department. The person in HR takes it and plugs it into a computer without a second thought. But that flash drive was full of malware and now the hospital’s system is infected and likely losing data.Be suspicious of any unfamiliar hardware or device that randomly appears.Windows and peeping eyesOften a thief doesn’t have to enter an office to steal information. They can look through a window and see information on the computer screens of workers. This can be remedied simply by putting up blinds in offices that have sensitive information.Follow for more data security articles like thisReception desks reveal more than you thinkReceptions desks are filled with tidbits of information and loose PHI that cause data thieves to grin. Things like passwords written on sticky notes, computers without privacy monitors, and patient records lying out in the open are all fair game for social engineers.Reception desks also get the most traffic, which is why they are typically the first target. Social engineers can steal a lot of information without being noticed. It’s critical to the safety of your patient’s data that your receptionists are properly trained to handle social engineers and aware of everything that’s going on.See also: Healthcare Reception Desks: Breeding Ground for HIPAA CompromiseCheck-in and check-outKeeping track of clients coming in and out may seem insignificant, but it can help discourage thieves and provide information should your data get stolen.Having check-ins helps your staff to acknowledge and remember the clients that come in, making it harder for social engineers to slip in and out unnoticed. Make sure all clients/vendors that come into the building sign in and out when entering secure zones (like a data center, or networking areas/server areas), and always assess who really needs access to those very sensitive areas.Unlocked doors: a social engineer’s paradiseSocial engineers love an entity that doesn’t pay as much attention to physical security. It makes their jobs that much easier, and if you aren’t paying attention to these areas, what else might that attacker poke around at? A social engineer can go into a hospital, walk into an unlocked office, sit down on an unlocked computer, steal phi, and then leave all within ten minutes.But if the office door is locked, then the social engineer usually won’t bother.Hackers and thieves are often lazy. Why go to a lot of trouble to get past a locked door if there’s an unlocked one down the hall? By locking office doors and computers, you deter many data thieves (what’s crazy is this very basic concept translates to all areas of security).Fighting back: it’s surprisingly easyMost of these risks can be prevented with little effort. Here are some suggestions:In risk analysis, look for physical security risksLock all office doors when not in use day and nightRequire passwords to access computers and mobile devices (encrypt your data or don’t have data on devices)Use screensavers and privacy monitors on computersInstall and use blinds in all office windowsKeep logs of who goes in and outKeep track of devices that go in and outHave policies in place for stolen equipment (Make sure to have a good Incident Response Plan and know your Breach Notification Policy front and back.)Train staff against social engineeringLimit access to PHI through role-based access.Have staff report suspicious people and devicesMake sure all reception desks protect PHI from prying eyesSee also: Common HIPAA Violations: HIPAA Quiz/HIPAA TestMost social engineering and data thefts can be prevented by following these simple practices. If your organization is taking into account the smaller issues, a social engineer, or a thief will be less likely to bother you because it’s not worth the effort.It’s the greatest benefit from the littlest effort.Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.