Scout update
How can I help you?
Social Engineering is the art of persuading another person to unwittingly provide services or information that he or she shouldn't.
In each of our roles here at the hospital, we provide some service to some customer. Depending on the role, the customer may be a patient, a family or another employee of the hospital. We want to provide high-quality service, and periodically we are reviewed on the quality of that service. Unfortunately, it's possible for someone to take advantage of our good deeds.
Each one of us has access to some information, some location or some service that someone else can use. This could be a medical record, access to a building or some kind of support. We give out these items on a daily basis, but it's possible that not everyone we deal with should have these things.
Consider an attorney who is working on a malpractice lawsuit. Under what circumstances would you provide information from a patient's medical record to that attorney? What if the attorney called by phone and claimed to be a clinician currently caring for the patient?
Consider a building that you have to use your ID badge to enter. You are allowed into that building for a certain reason. If you use your ID to go through the door and someone unknown follows you, what access have you given that person? What is in that building that they haven't been trusted with access to?
Another example comes by email, especially email with attachments. There have been several email viruses recently that claim to come from tech support or other official sounding email addresses. When the user clicks on the attachment, the virus installs itself on the computer and sends information from that computer to someone else. When ISD sends out an announcement, we will never request your password, ask you to click on a link or ask you to open an attachment. All necessary information about the announcement will be in the text of the email.
It's important that we be aware of the answers to the following questions as we help people:
- What is it I am being asked for?
- Why is this person asking me?
- How do I know this person is who they claim to be?
- Should this person have access to what they are asking for?
These questions shouldn't make us paranoid but should help us be alert to keep from getting "socially engineered." If the situation doesn't feel right, make sure to get a supervisor or someone else involved.
As always, if you have questions or need more information, contact the Help Desk at ext. 5-HELP or visit the E-Help Web site at http://ehelp/.
