Tuesday the 12th January 2016, Derren Brown returned to our screens and presented us with Pushed To The Edge. The premise for the show was to demonstrate how social compliance can influence behaviour, and how plausible would it be to get someone to commit murder by pushing someone off the edge of the building.
The show started off with a gentleman on the phone, impersonating a policeman and getting a member of staff within a coffee shop to distract a lady and remove her baby under the guise she was a known child abuser. Many tweets on Twitter mention this wouldn’t happen, or its cruel etc, however the true fact is that in the right conditions and the perception of an individual in authority providing you with a viable story it could happen exactly as witnessed on the show.
Then the main theme of the show is the murder of Bernie, by pushing him off the side of the building whilst he has a cigarette. At the climax of the show, the main participant ends up not doing the push, but then we see 3 other participants who have been through the same process do. As usual the media and social networks are mixed in was this brilliant television, or super cruel, unethical and that Derren has gone to far.
So I thought I would share my perspective, obviously I am a Derren fan and I enjoyed the show, but for me its not his best work, and I much prefer his stage stuff, but I actually think the show proved to be a good reminder on how susceptible people are to being influenced to do something, that may or may not be in there best interest (just like when being socially engineered). I also think its a good time to have this communicated, seeing as we currently live in a world of heightened terror with seemingly everyman and their dog looking to blow something or someone up for a cause they believe in.
Firstly a key thing to remember is that everyone involved (aka the participants or victims if you will), signed up to be on the show. Sure enough they may not of been aware of the specifics and extent, but if you are a fan of Derren (and you will be if you sign up) you have a good idea of the extent he may go to, so it is an informed decision. Also, and this is an assumption, they probably couldn’t air the TV show without consent of those who participated after the event, so I wouldn’t say these people are victims, and yes friends and family may see them from a different perspective for a short period of time, but more likely will realise it could quite easily of been them.
Also the people selected / shortlisted were those most susceptible to act in a socially compliant manner. Like any show this is a key requirement to get the desired result, but as mentioned before given the right conditions we can all act in ways we or others may not think we ever would.
For me the best thing about this show, was the generation of mass awareness. I imagine everyone who watched it will question what they would of done, be that they totally wouldn’t do it, or perhaps they would have up to a certain stage. This is great as it gets the brain thinking, you are then more likely to spot similar things happening to you on varying scales. Also another point is that there was no special magic or voodoo going on, just bog standard influence and manipulation of the situation.
Social compliance is part of our everyday lives, we do things and question it, or ask our friends and family to get congruence before acting, its all similar. Most importantly the bad guys are doing this, to help them achieve their goals, or aid them in their agenda.
So even though I don’t think its the best Derren Brown thing ever on TV, I think its done a good job to shake people up a little bit, and hopefully the message isn’t totally lost in perspective focus on how cruel and unethical it was (I guess we will find out in due course after Ofcom investigate the complaints).
Anyway this is just my perspective, and we are all entitled to one and I welcome anyone to share theirs in the comments.
Often it’s the little security issues we overlook that hurt us the most. 
By: Brand BarneySecurity cameras? Check. Guards? Check. Locked doors? Check. Privacy monitors? Umm . . .When it comes to data security, many health organizations don’t always worry as much about the physical aspect. While many foundational security issues may have been addressed, organizations are likely to have overlooked details such as
TweetMalicious entities (hackers) strike quickly, take what data they can and leave with little to no trace. In this case, data thieves take advantage of the lack of physical security in healthcare organizations. Here are some issues that your organization may not have considered.Taking devicesThe main problem offices have with devices is a nurse and a client use the same type of mobile device, such as an iPad. A thief could walk in, take an iPad off the reception desk when no one was looking, and walk out, all within five minutes. Would you stop someone if they were walking out of your office with an iPad? Probably not, because you would assume it was theirs. But within a few potential minutes, that hacker has access to the network and whatever data or PHI is on that iPad. This type of theft can and does happen, and sadly it’s not limited to your office, hospital, etc. Many workforce members work long hours and take devices with PHI on them home, stopping at a grocery store or a child’s school on the way home from work. Theft is quite likely if a device is left alone and unsecured in or out of the workplace, and that breach can cause quite a bit of heartburn.See also: Balancing Mobile Convenience and PHI SecurityLeaving devicesYou don’t often think of thieves leaving something behind, but for hackers, an easy way to further the data heist is to leave behind malware. Here’s an example: A receptionist at a large hospital notices a flash drive was left on the desk. It’s labeled “HR,” so the receptionist decides to just drop it off at the Human Resources Department. The person in HR takes it and plugs it into a computer without a second thought. But that flash drive was full of malware and now the hospital’s system is infected and likely losing data.Be suspicious of any unfamiliar hardware or device that randomly appears.Windows and peeping eyesOften a thief doesn’t have to enter an office to steal information. They can look through a window and see information on the computer screens of workers. This can be remedied simply by putting up blinds in offices that have sensitive information.Follow for more data security articles like thisReception desks reveal more than you thinkReceptions desks are filled with tidbits of information and loose PHI that cause data thieves to grin. Things like passwords written on sticky notes, computers without privacy monitors, and patient records lying out in the open are all fair game for social engineers.Reception desks also get the most traffic, which is why they are typically the first target. Social engineers can steal a lot of information without being noticed. It’s critical to the safety of your patient’s data that your receptionists are properly trained to handle social engineers and aware of everything that’s going on.See also: Healthcare Reception Desks: Breeding Ground for HIPAA Compromise
Check-in and check-outKeeping track of clients coming in and out may seem insignificant, but it can help discourage thieves and provide information should your data get stolen.Having check-ins helps your staff to acknowledge and remember the clients that come in, making it harder for social engineers to slip in and out unnoticed. Make sure all clients/vendors that come into the building sign in and out when entering secure zones (like a data center, or networking areas/server areas), and always assess who really needs access to those very sensitive areas.Unlocked doors: a social engineer’s paradiseSocial engineers love an entity that doesn’t pay as much attention to physical security. It makes their jobs that much easier, and if you aren’t paying attention to these areas, what else might that attacker poke around at? A social engineer can go into a hospital, walk into an unlocked office, sit down on an unlocked computer, steal phi, and then leave all within ten minutes.But if the office door is locked, then the social engineer usually won’t bother.Hackers and thieves are often lazy. Why go to a lot of trouble to get past a locked door if there’s an unlocked one down the hall? By locking office doors and computers, you deter many data thieves (what’s crazy is this very basic concept translates to all areas of security).Fighting back: it’s surprisingly easyMost of these risks can be prevented with little effort. Here are some suggestions:In risk analysis, look for physical security risksLock all office doors when not in use day and nightRequire passwords to access computers and mobile devices (encrypt your data or don’t have data on devices)Use screensavers and privacy monitors on computersInstall and use blinds in all office windowsKeep logs of who goes in and outKeep track of devices that go in and outHave policies in place for stolen equipment (Make sure to have a good Incident Response Plan and know your Breach Notification Policy front and back.)Train staff against social engineeringLimit access to PHI through role-based access.Have staff report suspicious people and devicesMake sure all reception desks protect PHI from prying eyesSee also: Common HIPAA Violations: HIPAA Quiz/HIPAA TestMost social engineering and data thefts can be prevented by following these simple practices. If your organization is taking into account the smaller issues, a social engineer, or a thief will be less likely to bother you because it’s not worth the effort.It’s the greatest benefit from the littlest effort.Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.
Your workforce members are your weakest link; here’s what you can do to help them.
6. The Relaxing ConversationThe social engineer goes into a hospital and asks one of the staff, “I’m with IT and I am here to install some updates on your systems and I need to get on your computer.” The staff member is initially suspicious.The social engineer backs off and decides to first become friends with the staff member. She cracks jokes, divulges a bit of information about herself, and confides in the staff member.After a few minutes, the staff member is more comfortable. “What was it you needed?” The social engineer now has a computer where she can install malware, steal data, or even delete important information.7. The Fake IT GuyA social engineer calls up someone within the hospital (showing a hospital phone number to the recipient) and says, “This is James from IT. I need your username and password.” The person in question then gives the information to him, and he now has access to the network. He can then take data in the name of the employee, making him nigh untraceable.8. The Pointed QuestionA social engineer asks a staff member pointed questions, masking them as casual inquiries. The staff member then unwittingly gives her valuable information, such as his supervisor’s name, his username, the supervisor of the department, etc.After a few more questions, she now has enough information to call up a different department, name-drop and then get more information.9. The iPad Walk OutA social engineer walks into a busy hospital, takes an iPad lying on the reception desk, and walks out. The staff members are too busy with their various responsibilities to notice.He isn’t questioned by anyone because he looks like any other person carrying an iPad. The staff doesn’t notice the iPad is missing until later. By then, the social engineer potentially has access to information, PHI, data, etc.See also: Healthcare: Recognize Social Engineering TechniquesHow to fight backWhile social engineering is a serious problem, there are ways to combat it. Here are my suggestions:Train staff members to be aware and suspicious: They should notice if a device is missing. They should be aware of who’s working, and they should question anything that looks slightly out of place.Train staff members to verify requests: Staff members should verify with supervisors when someone claims they have arrived to work on hospital computers, servers, Wi-Fi, etc.Make each department accountable for security: For most hospitals, it’s impossible for the C-Suite to train everyone about security. Every department head should constantly discuss security with employees.Hire a consultant: If you don’t even know where to start, hire a HIPAA consultant to help you boost your hospital security.Take advantage of resources: There are webinars, blogs, reports, white papers, and more resources that talk about social engineering, HIPAA security and HIPAA regulations. Research and learn!Test your staff: The best way to learn security techniques is to practice them. Get your staff used to social engineering attempts by pretending to be a social engineer (or hire an ethical social engineer). See what they do, and debrief them after.Boost your physical security: Keep computers locked, use screensavers, watch your devices, and lock offices when not in use. Taking small measures will help prevent social engineers from easy access.The biggest way to fight back against social engineering is proper regular staff training. It’s true, training = some downtime, but it’s critical to your patient data and organization’s brand that your staff members know how to address social engineering. Onboard and annual training isn’t enough!! Schedule quarterly, or even monthly training.See also: HIPAA Training Video: Essential Healthcare Compliance TrainingToday, staff members who aren’t well versed in security are worthless. Hospitals need both systems and people that are active and aware.Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.