Day two of the Hacking Healthcare workshop here in Long Branch, NJ (read about day one here). I’d like to report that today’s sessions completely set my mind at ease about the security of computer systems – including devices – in healthcare organizations.
But I’d be lying. And I try to never lie.
Instead, I’m so freaked out that I’m ready to climb under my bed and curl up into a fetal ball.
There was so much that Sensato founder and CEO, John Gomez, covered today that there’s no way I can relay it all in just a few hundred words (but if you want to know more, check out this white paper on healthcare cybersecurity).
So, I’m going to focus on just two areas: social engineering and rational response theory (RRT).
Social engineering is when the bad guys infiltrate themselves into your life without you realizing what they’re doing. So, for instance, you post on Facebook about how upset you are that you have to work this weekend because your company has to apply all these patches to its systems. Bingo! The bad guys know your system is vulnerable.
Or someone researches you online, learns that you have a kid that plays travel soccer, turns up at a game, pretends to be another parent, and in the course of an hour of conversation, learns some pertinent details of your job and even your company’s security system (“I hate having to wear a badge every day”) that they can then use to gain access.
Or they take a photo of you leaving the building with your employee badge, photoshop the photo, make a copy with a new name, and are able to get into your building, wander the offices, and stick a key logger under your desk to steal all your passwords.
Right now you’re thinking, “Oh, that could never happen to me. I’m too smart for that.” Or, “that’s like something out of a Tom Clancy novel; that doesn’t happen in real life.” Now you’re practicing what Gomez calls Rational Response Theory (RRT)… Put simply, we rationalize.
We do it because we’re inherently good and don’t think in the same evil terms as cyber-terrorists, cyber-criminals, and cyber-spies. “It’s hard for a lot of people to go from thinking good to thinking evil,” Gomez said.
Which is why your company has to be on the offensive. Not waiting for a breach, but building up your defenses and response teams before one occurs. Because, as Gomez clearly conveyed over the past two days, it’s not a question of when you’ll be attacked, but how.
Stay tuned for more on the #hackinghealthcare workshop and the steps your healthcare organization needs to take to stay safe, or what you, as a healthcare vendor, need to do to ensure the safety of your customer. And follow our tweets by searching #hackinghealthcare.