SOCIAL ENGINEERING AS AN EVOLUTIONARY THREAT TO INFORMATION SECURITY IN HEALTHCARE ORGANIZATIONS
Downloads
Information security in healthcare settings is overlooked even though it is the most vulnerable for social engineering attacks. The theft of hospital information data is critical to be monitored as they contain patients' confidential health information. If leaked, the data can impact patients' social as well as professional life. The hospital data system includes administrative data, as well as employees' personal information hacked, which can cause identity theft. The current paper discusses types and sources of social engineering attacks in healthcare organizations. Social engineering attacks occur more frequently than other malware attacks, and hence it is crucial to understand what social engineering is and its vulnerabilities to understand the prevention measures. The paper describes types of threats, potential vulnerabilities, and possible solutions to prevent social engineering attacks in healthcare organizations.
Keywords: social engineering, hospitals, healthcare organizations, information security.
Brown, G. et al. (2008) ‘Social networks and context-aware spam', in Proceedings of the ACM Conference on Computer Supported Cooperative Work, CSCW. San Diego. doi: 10.1145/1460563.1460628.
Bullée, J. W. H. et al. (2015) ‘The persuasion and security awareness experiment: reducing the success of social engineering attacks', Journal of Experimental Criminology, 11, pp. 97–115. doi: 10.1007/s11292-014-9222-7.
Chitrey, A., Singh, D. and Singh, V. (2012) ‘A Comprehensive Study of Social Engineering Based Attacks in India to Develop a Conceptual Model', International Journal of Information and Network Security (IJINS), 1(2), pp. 45–53. doi: 10.11591/ijins.v1i2.426.
Conteh, N. Y. and Schmick, P. J. (2016) ‘Cybersecurity:risks, vulnerabilities and countermeasures to prevent social engineering attacks', International Journal of Advanced Computer Research, 6(23), pp. 31–38. doi: 10.19101/ijacr.2016.623006.
Heartfield, R. and Loukas, G. (2015) ‘A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks', ACM Computing Surveys, 48(3), pp. 1–37. doi: 10.1145/2835375.
Heartfield, R., Loukas, G. and Gan, D. (2016) You Are Probably Not the Weakest Link: Towards Practical Prediction of Susceptibility to Semantic Social Engineering Attacks, IEEE Access. doi: 10.1109/ACCESS.2016.2616285.
Irani, D. et al. (2011) ‘Reverse social engineering attacks in online social networks', in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Amsterdam: Springer-Verlag Berlin Heidelberg. doi: 10.1007/978-3-642-22424-9_4.
Jagatic, T. N. et al. (2007) ‘Social phishing', Communications of the ACM, 50(10), pp. 94–100. doi: 10.1145/1290958.1290968.
Krombholz, K. et al. (2015) ‘Advanced social engineering attacks', Journal of Information Security and Applications, 22, pp. 113–122. doi: 10.1016/j.jisa.2014.09.005.
Medlin, B. D., Cazier, J. A. and Foulk, D. P. (2010) ‘Analyzing the Vulnerability of U.S. Hospitals to Social Engineering Attacks: How Many of Your Employees Would Share Their Password?', International Journal of Information Security and Privacy (IJISP), 2(3). doi: 10.4018/jisp.2008070106.
Mick, Stephen S and Shay, P. D. (2014) Advances in health care organization theory. 2nd edn. New York: Jossey-Bass.
Mohan, P. and Singh, M. (2016) ‘Security Policies for Intelligent Health Care Environment', Procedia Computer Science, 92, pp. 161–167. doi: 10.1016/j.procs.2016.07.341.
Narayana Samy, G., Ahmad, R. and Ismail, Z. (2010) ‘Security threats categories in healthcare information systems', Health Informatics Journal, 16(3), pp. 201–209. doi: 10.1177/1460458210377468.
Office for Civil Rights (OCR) (2013) Summary of the HIPAA Privacy Rule, Health Information Privacy. Available at: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html# (Accessed: 12 December 2019).
Patel, N. (2017) ‘Modern Technology and Its Use as Storytelling Communication Strategy in Public Health', MOJ Public Health, 6(3), pp. 338–341. doi: 10.15406/mojph.2017.06.00171.
Patel, N. (2018) ‘Bridging the gap of translation research in public health-from research to real world.', MOJ Public Health, 7(6), pp. 347–349. Available at: https://www.researchgate.net/profile/Naiya_Patel2/publication/329451197_Bridging_the_gap_of_translation_research_in_public_health_-_from_research_to_real_world/links/5c094a694585157ac1ad2309/Bridging-the-gap-of-translation-research-in-public-health-from-r.
Patel, N. (2019) ‘Why New Drugs, Treatments, and Medical Devices Still Needs to be Tested Clinically Before Making it Available in the Market? A Systematic Review', Journal of Neurological Research and Therapy, 3(1), pp. 1–5. doi: 10.14302/issn.2470-5020.jnrt-19-2618.
Salahdine, F. and Kaabouch, N. (2019) ‘Social Engineering Attacks: A Survey', Future Internet, 11(89), pp. 1–17. doi: 10.3390/fi11040089.
Smith, A., Papadaki, M. and Furnell, S. M. (2009) ‘Improving awareness of social engineering attacks', in IFIP Advances in Information and Communication Technology. Brazil: Springer, pp. 249–256. doi: 10.1007/978-3-642-39377-8_29.
1. As an author you (or your employer or institution) may do the following:
- make copies (print or electronic) of the article for your own personal use, including for your own classroom teaching use;
- make copies and distribute such copies (including through e-mail) of the article to research colleagues, for the personal use by such colleagues (but not commercially or systematically, e.g. via an e-mail list or list server);
- present the article at a meeting or conference and to distribute copies of the article to the delegates attending such meeting;
- for your employer, if the article is a ‘work for hire', made within the scope of your employment, your employer may use all or part of the information in the article for other intra-company use (e.g. training);
- retain patent and trademark rights and rights to any process, procedure, or article of manufacture described in the article;
- include the article in full or in part in a thesis or dissertation (provided that this is not to be published commercially);
- use the article or any part thereof in a printed compilation of your works, such as collected writings or lecture notes (subsequent to publication of the article in the journal); and prepare other derivative works, to extend the article into book-length form, or to otherwise re-use portions or excerpts in other works, with full acknowledgement of its original publication in the journal;
- may reproduce or authorize others to reproduce the article, material extracted from the article, or derivative works for the author's personal use or for company use, provided that the source and the copyright notice are indicated.
All copies, print or electronic, or other use of the paper or article must include the appropriate bibliographic citation for the article's publication in the journal.
2. Requests from third parties
Although authors are permitted to re-use all or portions of the article in other works, this does not include granting third-party requests for reprinting, republishing, or other types of re-use.
3. Author Online Use
- Personal Servers. Authors and/or their employers shall have the right to post the accepted version of articles pre-print version of the article, or revised personal version of the final text of the article (to reflect changes made in the peer review and editing process) on their own personal servers or the servers of their institutions or employers without permission from JAKI;
- Classroom or Internal Training Use. An author is expressly permitted to post any portion of the accepted version of his/her own articles on the author's personal web site or the servers of the author's institution or company in connection with the author's teaching, training, or work responsibilities, provided that the appropriate copyright, credit, and reuse notices appear prominently with the posted material. Examples of permitted uses are lecture materials, course packs, e-reserves, conference presentations, or in-house training courses;
