Social engineering in a healthcare context
Blog post August 2019, by Christiaan Hillen, Security Specialist at Secura
When still studying at the Radboud University, in my side job as librarian at the Science faculty, I once got a call that started out like this:
"Hello, I'm dr. James, oncology ward, and I would like to talk to you about mrs. Jones, a patient currently presenting to me with .... "
This was a doctor in the RadboudUMC hospital, dialing the wrong internal number and ending up wanting to discuss a patient with me. I immediately stopped him and explained that I was not who he was expecting. Had I not done that, I might have gotten a lot of information about mrs. Jones that I did not want to have.
Some ten years earlier, I was working as a therapist in a geriatric rehabilitation center. One of my patients had a complex fracture of her tibia, and I was wondering what the fracture actually looked like, as this might influence the therapy I wanted to give her. A quick phone call to the hospital explaining who I was and giving my patient's name and date of birth was enough to receive a CDROM with x-ray images and some information over the mail. No formal identification was needed.
They want to help
Just two examples of how easily you can get information, by either not stopping someone from giving it you you, or by actively asking. Social Engineering is one of the most effective ways of getting information, and the healthcare sector is no different in that respect. People working in healthcare, mostly do so for the same reason: They care, and want to help people in need. Reaching out as healthcare professional towards another healthcare professional will almost always lead to help being offered. I consider it a great strength, but it may be exploited.
Of course, doctors won't be calling your number on a regular basis, but there is nothing stopping you from calling them directly, sending an email, or otherwise reaching out. To obtain information, you need two things: details about the patient you want to inform about, and the proper language to convince the 'other side' that you are also a healthcare professional. Things have changed in the last years though, and everyone is much more aware of privacy issues, I doubt it is as easy today as it was ten years ago. Nevertheless, some basics still apply when social engineering in healthcare.
Seeking common ground
Healthcare professionals are highly skilled at recognizing social engineering attempts, in particular those in the first line of defense; the receptionists. Getting past these is tricky, but as with all social engineering, once you are past them, or can even get them to assist you in you quest, you're all set. There are no proven techniques, no perfect lines to say in order to achieve success, there are only rough guidelines and suggestions as I already mentioned.
Seek the common ground, explain a fictive problem, believe the problem, rehearse your monologue, and possible dialogues. If you are social engineering over the phone, be sure to have a piece a paper ready to make notes of any details you make up on the spot to keep track of your act. On that same piece of paper, make sure to note down crucial details such as name, date of birth, and your relation to the patient or doctor. Even so, in most cases you will be stopped by the receptionists who will state that they simply cannot give you the information. Sometimes you have to admit defeat.
The White Coats
Large hospitals are one of the easier targets out there. Hundreds of doctors and other employees walking around in a public building. Yes, hospitals are public buildings, insofar as anyone can walk in and can reach all the way into rooms of patients. There are closed sections, but some tailgating will help with that. If you can get your hands on the uniform of healthcare - the white coat - this will immediately help you in credibility and open doors for you. Before using this however, do also take note of possible logos on these coats and the tendency to stuff the pockets with things. Where are people wearing their badges, in which orientation. Because there are so many white coats in the building, recognizing colleagues is not ubiquitous, you're just another white coat, if you wear it right.
Before attempting this, you will need to stake out the hospital, and get an idea of its peculiarities and procedures. Move with confidence and purpose, use your smartphone to document what you see and hear. For instance, you might be able to film someone entering a door code and use the recording to determine the proper code. And bring along a small floral arrangement, or a colleague who you can place in a wheelchair you get at the main entrance. Remember, purpose and confidence, you have a reason for being here.
A different form of dumpster diving
Getting back to the White Coats, where do you get those? Especially with coats with logos on them, there are only three sources for them along the chain. Manufacturing, Distribution, and Disposal. Someone is making these coats for the hospital, maybe you can social engineer them for one, although this may be difficult and raise some flags. Next up would be the internal distribution centre for the hospital. At least in the hospitals that I sometimes legitimately visit, the cleaning crew wears the same uniform as the nurses, it may be easier to pose as a new cleaner and get a uniform that way.
The last possibility is to obtain a uniform on its way to the laundry. Large hospitals have their own laundry facilities for bed linen and other items that are regularly soiled. Yes, it is a bit questionable, but stealing laundry might just be your ticket to a White Coat, and much easier than ten years of medical school. Stating the obvious, but wear gloves, stuff the coat in a plastic bag, and wash it properly before use, and do so at your own risk.
A social engineering attack on a hospital can have a severe impact on the trust patients have in that hospital. Be aware of this before you start, what you are about to do, may have an impact on someone's health, literally. I can't state this is strong enough words, this is the one environment where you really do not want to mess up. What is your target going to be? Do you want to obtain information about a particular individual, exfiltrate patient files in bulk, get a foothold in the network, or get access to a particular system?
The defender perspective
Given the possibilities I have described, how likely is your hospital to be successfully targeted by social engineering? How likely is it that someone obtains a white coat from the laundry, plugs in a new device into the network without being noticed, or gains access to areas they should not be in, just by walking along?
We can help and train your staff, or perform a preliminary check to see where you are vulnerable. Contact one of our experts to identify your needs and come up with a solution that seamlessly integrates with your question.
Join our workshop Protecting vital assets, the art and science of working with medical data - 16 January 2020 - Free admission
In order to address awareness improvement, Secura will conduct, within the context of ASCLEPIOS (Advanced Secure Cloud Encrypted Platform for Internationally Orchestrated Solutions in Healthcare), periodic workshops dedicated to the protection of medical data. The first of this series of workshops will take place on the 16 January 2020, at the location of Secura in Eindhoven, the Netherlands. This workshop, themed “Protecting vital assets, the art and science of working with medical data” will focus on the current limitations concerning the collection, storage and access to the sensitive patient’s medical data and how ASCLEPIOS attempts to solve these. The workshop admission is free of charge, having a strong goal of bringing together both technical and non-technical personnel involved with medical data processing. Registrations to this workshop can now be made at https://www.secura.com/asclepios-awareness-workshop.