Personally, identifiable information (PII) is protected and precious to hackers, even more, valuable than the basic PII (name, address, phone number), is personal medical information. What it is called “a hacker’s roadmap to your life, ” and in 2010 the economic impact of this type of theft cost healthcare industries over $7 billion (Horan, 2016). Part of the problem in protecting this information is the fact that so many organizations and people have accesses to the information. This information is used by hospitals, doctor offices, insurance companies, alarm businesses and emergency services.
This situation gives hackers plenty of routes to engineer their way to access the information secretly. For this task, the assignment was to conducted reconnaissance in an organization and determine how easy it would be for a social engineer to gain access. So, without naming local companies. I will explain what is found and how it would be simple to use social engineering to collect PII/medical information from a local hospital, going through a third-party. It should be said, that I have inside knowledge as a former employee of the third party, but any social engineer could perform this reconnaissance and gain access.
The backdoor to having access to the local hospital is the local volunteer fire department (VFD). A Web Search This is one of the largest volunteer departments in the U. S. is the busiest in the state it operates. Statistics found on the website, declare that it has over 250 dedicated members, provides over 2,500 volunteer hours per week and answers to over 20,000 calls for assistance each year (DCVFD, 2017). They have four main stations, operated by paid and volunteer staff during the day time from 6am-6pm and then fully staffed by volunteers 6 pm – 6 am Monday through Friday and then all day Saturday, Sunday, and federal holidays.
On the web, they explicitly list their locations and area of responsibilities. The website explains how to become an active member, without any training, they will provide and pay for training. It encourages local community members to spend a night or weekend at one of their station and ride along (no background check required). Also, found on the web, phone numbers the stations, recruiting staff, and local fire chief and station supervisors. Social media sites are a great way to get to know an organization and its members.
Setting up a fact profile to gain information is on the rise with social engineers (Robinson, 2015). This organization Facebook shows photos and names of members and even show significant events, like their department officer installation, which gives you an idea of who is over what stations and offices in the VFD. It was also very simple to look at and contact members of the department that had open profiles. Looking at their news feeds you made it easy to learn about the internal drama going on in the department. There were also photos on some people’s web pages showing inside and outside of the fire departments.
On two pages, there were pictures of the outside receiving area of the hospital, and the office inside was they complete paperwork. The photos clearly show how the information gathered on a call and recorded in a digital pad is attracted and downloaded into the hospital database. A visit to 4 Stations A visit unannounced visit to the four stations during full volunteer staffed hours, show things have not changed. There are video cameras outside watching the property and front door, once inside the recorders are in unsecured alarm room.
The door has a combination lock on it like all exterior doors, but the door is wide open all the time, giving an intruder once in full access to open workstation connected to emergency services dispatch, all charging and backup medical call digital notepads. The volunteers, are very welcoming, and will gladly give a tour of the station and its vehicles. All emergency vehicles in and out of service are unlocked, and every medical transport vehicle has a digital pad in it. In the back of the ambulances, there is a large sticker on the wall, showing the access code to the emergency room door.
It just so happens that the door code to get in the fire house is one there too and is still the same for all fire houses (Insider knowledge: Unless policies have changed that number is only changed once a year or if there is an identified threat). It is also worth pointing out that as soon as you introduce yourself on a visit, and say you used to work with them, then throughout a few old timer names, volunteers that do not even know you, treat you like a long-lost friend. They will then almost freely answer questions and provide information about who is still in the department and what nights they work.
The Ride Along As informed by the VFD, anyone can go one a ride along, two times a year. While they do background checks on those, who volunteer, just fill out a waiver form for a ride-along no background check. Then for one full shift, which is overnight, you have access to the whole building. They provided you a place to sleep and the security codes to the doors. So, collecting information after people are sleeping is made simple, and no one will see you putting malware on digital pads that download patient reports to the hospital.
Should you go on a call, you then will have access to the hospital ER and workstations in the EMT office. In the hall of the ER, are mobile workstations that nurses and others us to register and record notes on patients. On a very busy night, most of the staff are very busy and do not even pay attention to EMS personnel that are not actively engaged in the hand of a patient. In fact, if you get hold of a work t-shirt, before the night of your ride along, you are treated like staff. The hospital staff has no idea you are just there as an observer for a ride along.
Looking like you belong, is a key to ensuring the people around you are comfortable enough to let you gather information (Granger, 2001). Conclusion In this case, social engineering was used to gain access to a local hospital. However, the efforts to gain that access was not directly at the hospital. Social engineering was used on a secondary source that had access to the hospital. Once in, malware can be planted to access the PII. One is also able to freely enter the place of business, and look as though they belong.
