VUMC staff with access to patient records should be on alert for remote social engineering attacks targeting VUMC patient data. Social Engineering is the (illegal) art of manipulating people like you to give up sensitive information. In this case, attackers may claim to represent a third-party healthcare institution with some relationship to a patient’s care at VUMC, such as a pharmacy, another hospital, or urgent care or other specialty clinic.
These social engineering attacks can take many forms, including:
- Email-based attacks (or traditional “phishing”)
- Mobile text-based attacks (or “smishing”)
- Voice-based attacks (or “vishing”)
- Fax-based attacks (or “fax-based phishing”)
In all cases, if the situation “just doesn’t seem right,” workforce members should follow their suspicions, consult a fellow staff member or manager for a second opinion, and/or report the situation to the VUMC IT Help Desk and request it be escalated to VUMC Enterprise Cybersecurity for further review.
Some potential indicators of which to be aware:
- The attackers may already have some personal information about the patient, such as address and phone number, and in worse cases more sensitive information such as date of birth and/or Social Security Number
- The attackers may already know a third-party medical provider who represents the patient outside VUMC, such as a primary care physician
- The attackers will not have authorization for patient data access, or have direct VUMC patient records (MRNs, etc.)
- The email addresses, or phone and/or fax numbers provided may not match with the organization that the attacker claims to represent
- The attackers when engaged via voice communications, may not answer with a greeting indicative of representing the claimed organization
- When denied access to the VUMC patient data, the attackers may become frustrated or belligerent
Because of your continued vigilance, we have decreased the number of successful attacks on the Medical Center in the past year.