This article was developed by Fortified Health Security experts, Don Kelly, Troy Cruzen, and Bob Thurner, drawing from their real-world experience in vCISO management and consulting roles.
Kevin Mitnick was once the most wanted hacker in the U.S. and taught us one critical truth: people, not systems, are the easiest way in. On August 6, National Social Engineering Day, we reflect on how hospitals and healthcare systems remain uniquely vulnerable to manipulation-based attacks and what we must do now to adapt.
Why Social Engineering Threats Hit Healthcare So Hard
- Fast-paced, high-stakes environment: Split-second decisions, interruptions, and stress create prime conditions for manipulation.
- Dispersed access points: Call centers, nurses’ stations, and third-party vendors are all social engineering gateways.
- Trust-based culture: Healthcare workers are trained to help; attackers exploit this compassion
- Over 60% of healthcare breaches begin with phishing or related human-centered exploits (HHS, Verizon DBIR)
How Mitnick Did It
Kevin Mitnick exploited the weakest part of any system: human trust. He bypassed firewalls and passwords not by hacking code, but by impersonating employees, bluffing tech jargon, and persuading and confusing people to give up credentials, access, or information. These tactics are now known as pretexting, vishing, and dumpster diving. His techniques still work today because technology evolves faster than human behavior, and many healthcare workers are trained to help, not to suspect.
As Preston Duren, VP of Threat Services, and others have said in previous monthly roundtables: “Hackers don’t hack in, they log in.”
Common Healthcare Social Engineering Vectors
- Phishing & Business Email Compromise (BEC)
- Vishing (voice phishing) targeting front desk/help desk or nurses
- Tailgating in clinical & critical areas
- Vendor impersonation (biomed techs, IT contractors)
- Pretexting and fake support desk calls
Case Example:
A threat actor impersonated a PACS vendor and gained access via remote support. The result was the exfiltration of radiology data, a breach notification, and a loss of trust that impacted patient and clinician confidence alike.
Tiered Recommendations: Building Your Human Firewall
1. If You’re Doing Nothing: Start Here
Goal: Establish foundational protections with minimal lift.
- Launch a short, healthcare-specific phishing training for all staff.
- Use Kevin Mitnick’s legacy to socialize the risk: posters, huddles, emails.
- Mandate reporting: “If you see something suspicious, report it — no punishment.”
2. If You’re Doing the Basics: Elevate
Goal: Mature beyond checkbox training.
- Implement role-specific social engineering modules (e.g., call center, surgery, HIM).
- Run quarterly social engineering simulations across modalities (vishing, USB drops).
- Appoint departmental Security Ambassadors to champion behaviors. This role is not limited to managers or directors; any motivated individual can support a security culture.
Engagement Tactics:
- Gamify detection: monthly leaderboard or “caught the phish” prizes.
- Integrate compliance training or shift handoffs.
- Random drawing with escalating prize tiers for completing training to increase adoption rates.
3. If You’re a Mature Program: Optimize
Goal: Reduce dwell time, increase resilience, and drive measurable culture change.
- Correlate social engineering click/reporting data to incident response times.
- Simulate sophisticated multi-vector attacks (email → phone → physical).
- Track and report behavior change metrics to the board (link to HICP objectives).
Advanced Add-Ons:
- Add real-time phishing defense tech integrated with EDR/SIEM.
- Include social engineering metrics in risk registers and the HIPAA Security Management Process.
4. What’s at Risk If You Don’t Take Action
- Increased downtime from ransomware.
- OCR penalties due to repeated “preventable” breaches.
- Lawsuits tied to vendor impersonation and third-party compromise.
- Worst case: patient harm due to delayed care from disrupted systems.
Make Social Engineering Defense Part of the Mission
Mitnick didn’t hack machines. He hacked people. On August 6, let’s honor his legacy not with fear, but with focus. Train, test, and talk about social engineering in every hospital, every clinic, and every team.
Additional Social Engineering Resources:
