FeaturedTechnical Surveillance Countermeasure Specialist

How to Protect Your Medical Group’s Private Information

By November 21, 2011July 23rd, 2013No Comments

Recently our company was contacted by a representative from a medical group with concerns that someone was spying on them. Medical groups can be prime targets for spying from other medical groups, insurance companies, subcontracted agencies overseeing disability and workman’s comp, and pharmaceutical companies.

This representative had two reasons for suspicions. The first was someone was wondering around the building with access to different offices. Employees assumed this person was a tech and didn’t pay them any mind at first. The second suspicion was their phone system wasn’t working properly.

Security breaches in this new medical facility plus untrained employees led to a spy using a social engineering attack technique called pretexting. Social engineering is the art of manipulating people into performing actions or divulging confidential information. With pretexting, the criminal creates and uses an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that they would not ordinarily do.

Pretexting can also be used to impersonate co-workers, or any other individual who could have perceived authority or right-to-know in the mind of the employee. In some cases, all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one’s feet.

With access to the facility a criminal can plant spyware, bugging devices, and have opportunities to steal confidential information. The criminal can also manipulate the phone system creating the perfect eavesdropping scenario.

Here are a few ways you can be tricked into allowing unauthorized people into your facility and giving them your confidential information.

Criminals project confidence and act like they belong in your building. If someone were walking around looking nervous and glancing from side to side, employees would be able to tell that they don’t belong. The most important thing criminals do if they’re trying to blend into any environment is to look like they belong there. They walk confidently, like they know where they’re headed, and acknowledge people, the way you would in your own office. Subconsciously employees believe that the criminal belongs there.

Be conscious of “tailgating.” The best way to get into a medical building is to go in behind someone else. This is a serious security issue for medical offices with restricted access. It’s easy for someone to slide up to the door when an employee is going in and grab it as it closes, to beg the person going in to hold it for them, or—more often—they just walk through while the person ahead of them walks in. Most of us would consider it rude to slam a door on someone or let an elevator close when someone is just a step behind us, especially if it’s a secure door where you would otherwise have to fumble for a keycard or other device to get in, so we do the nice thing and hold it open.

Criminals who have some familiarity with the medical office will dress the part. Employees can point out more quickly a criminal when they do not dress at or slightly above the dress code for the office environment. Fewer people will question a person wearing a button-down shirt and slacks in an office full of polo shirts than will call out the guy wearing cutoff jean shorts and a t-shirt in the same office. Employees should watch for people who are both overdressed and underdressed.

Train employees to be curious and ask questions. Spies might ask employees for directions, what they do, whose team they’re on, how that is going, and if recent changes in the department have impacted them at all.

Unfortunately these criminals won’t stand out when they have a relatively upbeat and positive demeanor compared to someone who’s hunched over, shifty-eyed, and ducking around corners.

You can install the best security systems in the world, but if your employees are not trained, your competition, insurance companies, pharmaceutical companies, or contractor for government agencies can steal confidential information that is detrimental to your medical group’s survival. A spy quietly listens and watches. They may spy for several months or until they have gathered enough information on your business to their advantage. A paracite will watch you for as long as it is profitable for them. Don’t let them profit from your business.

If your instincts are telling you that something is not quite right, you are suspicious, or otherwise your senses are alerted, contact us before it’s too late. It is best to call us when you suspect something so we can judge whether you only need advice or our immediate attention and fast response quickly and covertly activated. Let us set a trap or conduct a sweep to catch the spy.

To determine your risks and prevent security breaches in the future, M. Guadagno Associates can perform a Penetration Check and a Vulnerability Assessment.