Hacking Humans: A Nurse's Perspective

Hi everybody. My name's Emma. So I've been a nurse for about 20 years now. Um I've done mixture of both private and NHS. Um I've worked both in hospitals and communities. My current role I'm a forensic nurse. So for those that don't know what that is, I work alongside the police in a custody setting. So today I'm going to talk to you about human um hacking humans from um a nurse's perspective she says. So agenda we're going to talk about social engineering tactics infiltrating health care systems cyber attacks and the impact in healthare the need for training in health care protecting healthare staff in the event of a cyber attack. So what social engineering tactics are

most commonly used? The most commonly used are fishing emails impersonation baiting. So the most common one is our uh social engineering would be to target healthare workers um and departments and CEOs and managers are mainly fishing emails because they're easy to deploy and obviously they look like in-house emails. Um in a b busy nursing environment these are obviously easily mistaken for legitimate emails. Spearish emails are used to um trick employees, make an email appear that it's from management, for example, asking about specific medical devices or asking the wards maybe for monthly stats on ward ward budgets. Um this is something I created and I've got AI to design. So if it's easy for me to do it, how easy is it for the

everyday attacker? So impersonation of a health care worker. So obviously we get we can get this um in person whereby obviously they will gain access to wards and departments claiming that their internal staff members using fake ID and obviously wearing uniform stating they want maybe to conduct an audit and will need to access patient data. They may also create fake emails, voice messages that mimic the communication style um of a staff member obviously to gain information. The attacker might impersonate a senior IT manager claiming that they need obviously immediate access to uh patient records or data. Another tactic um that might be used is that you might gain credentials of a healthare worker. These are easily um

done to obtain obviously you can simply look up social media accounts of people that you know maybe that work in the health care setting. Um and by a simple telephone call you may be able to inquire about patient details or gain other confidential information. However, I have experienced good defense in this in the fact that um whereby a call back was suggested to myself um by the healthcare provider before any information is given via telephone um and obviously to confirm my place of work. The baiting baiting obviously involves um it's offering something quite enticing to lure individuals into uh compromising their security often playing on the individual's need for human curiosity or the desire for free stuff. So this may

include um using leaving like a malicious USB drives left in waiting rooms or around offices. Obviously, if you had an inside threat actor, it can also be something like free software, media tools such as educational tools or free medical software imaging. Um, where it would be obviously easy to download, um, if you had an employee that wasn't aware and also these lovely pop-ups that we get, you know, they might be advertising for free PPE supplies.

Okay. So, infiltrating healthare systems and the behavioral patterns. So fishing attacks, impersonating senior clinicians or IT staff, sending emails obviously marked urgent, requesting long credentials, login credentials or immediate action on critical patient data. Staff obviously often comply with this uh you know verifying due to hierarchical pressures or time constraints. social engineering, cyber criminals, research staff names and roles, and then uh craft messages that mimic internal communications like shift changes, rotor updates, uh fli familiarity, low suspicion, especially in the busy um environments like A&E or a custody setting. Tailgating access obviously um in some cases attackers may gain entry to restricted areas. They pose as contractors or delivery personnel. Once inside obviously they may exploit unattended terminals or plugs um

sticking obviously USB malicious USB devices relying on staff's routine um relying on staff's trust and routine behavior. So the digital litery lit literacy get my words out in a minute. So staff often receive attachments labeled um lab results or referral letters and obviously that that can contain malware. Limited training on file authenticity and email hygiene obviously leads to downloads without scrutiny. credential harvesting and fake login portals. Attackers obviously can send spoof links to NHS or company login pages. Staff unfamiliar obviously with UR URL verification or browser security indicators. Enter credentials granting attackers system access and obviously this is the most popular one passport hygiene. So we're well renowned for it in our profession. Reused or weak

passwords are common, very common amongst health care staff. Attackers may use brute force or credential stuffing techniques, especially when staff are unaware of maybe password password managers or MFA. So some of the cyber attacks that have happened uh mainly this year last year. So this was a ransomware attack at King's College Hospital in London and a patient actually died um unexpectedly during this cyber attack which was on the 3rd of June 2024 and it also disrupted more than 10,000 appointments. So, so some of the contributing factors to this was that obviously it was a long wait for blood tests um due to the cyber incident affecting the pathology services. And for those that don't know what pathology services are,

they are where we send our blood tests so we can get your blood results. The it also, like I say, led to 10,000 appointments being cancelled at two London hospitals. um a significant amount of GP practices in London were also unavailable um to order blood tests for their patients. Patients data which is managed by Sovis um an agency which manages the labs for the NHS trust and GPS in Southeast London was also stolen in this incident. that this next attack was a man who was accused of uh impersonating a nurse at the Queen Elizabeth Hospital in uh Scotland, Glasgow. So, this campus obviously has a children's unit, uh a maternity unit, and two A&E departments.

So, this gentleman's name was Lee Woods. Um he was allegedly impersonating a member of nursing staff and was accused of wearing um NHS uniform and uh with a lanyard and false ID badges claiming that he had the position of a charge nurse. Um he had accessed the hospital on at least four occasions between March and obviously the date of his arrest in 2023. their compromises. And then this last attack was actually affected me personally. This is a company uh HCRG care group attack. This is a company I used to work for and the ransomware group Medusa listed HCRGs on the dark web and they uh claimed to uh compromise it and they stole um I think it was more than two

terabytes of data back in February 2025. So obviously this included all employees personal information, records, government IDs, uh documents such as passports and birth certificates. So what the what what is the impact on the health care setting in in a hospital setting? So obviously it reduces capacity of the hospital. There's longer wait in A&E times in A&E departments is if they're not long enough. Um disruption to the provision of elective services i.e. both inpatient and outpatient appointments and admission surgeries and procedures. So what effect does it have on a GP surgery? So for a GP surgery, it obviously it reduces the ability to schedule appointments. Sorry, I'm having a technical difficulties here. Access to patient data and the computer

systems. My word. Um may obviously have to cancel existing appointments. Reduce availability of uh GP appointments.

Inability for GPS to make ongoing or new referrals to specialist teams. and also the inability for GPS to issue prescriptions. So how much um are cyber attacks costing in health care? So hacking the health care setting is not only causes massive disruption and inconvenience. It's costly, it's time consuming, uh puts patients at risks and in obviously in some circumstances obviously it results in death. So for a hospital attack it costs an estimated 11.14 million occurring three times a year. In a GP attack the practice obviously is 20,000 um with an average of 37 incidences. So how do we bridge the gap between the clinical world and the IT world with the IT world obviously ever evolving and AI now

imminent the how. So don't translate um just train. So clinicals speak in care pathways. It speaks in systems and protocols. We need to use analoges that resonate. Firewalls are like PPEs for your data or MFA is like the keys to your drug cupboard. Relate the two worlds. Avoid jargon overload. Replace acronyms with purpose instead of implement SSOs with MFA. Make say make login faster and safer using one secure method. We know our jargon. You know your jargon, but we don't know each others. Build crossf function relationships. Create a cyber champion within clinical teams. Nurses, paramedics, and custody staff who understand both worlds. Act as translators and advocates. Invite it into clinical spaces. Let them shadow

ward rounds, observe custody workflows, or join MDT meetings. Use scenario based learning. Role play, fishing, tailgating, spoof portals. Make training tactile and relevant. Eg. What would you do if somebody followed you into the drug room? Simulate downtime protocols. Practice what happens when systems fail. How you document, escalate, and protect patients. Align goals and safety first. Frame cyber security is patient safety. It's not about compliance. It's about protecting vulnerable people. Maintain continuity of care and preserve trust. Use shared metrics instead of number of block threats. Report number of patient records protected or minutes of downtime avoided. Codeesign solutions. Sorry.

The code design solutions. So involve clinicians in technical decisions from login workflows to alert systems. Their input ensures usability and adoption. Pilot and iriterate test new protocols in real settings, custody suites, community clinic wards, and refine based on feedback. Protecting health care staff in the event of a cyber attack.

So build and preparation before the attack. Training and awareness. Run scenariobased exercises, eg fish vision mock-ups, tabletop exercises. Teach staff how to spot suspicious emails, fake login portals, and unusual system behavior. Clear protocols. Establish downtime procedures for clinical documentation and medical administration. Ensure staff know who to contact i.e. IT security hotline and what not to do eg plug in USBs or don't share credentials. Access control enforce strong passwords multiffactor MFAs and rolebased access. Limit admin rights to reduce accidental exposure. How do we protect staff during the attack? Communication channels obviously provide secure alternative communication methods, eg radios, papers, emergency phones. Share clear non-technical updates so staff don't panic or spread misinformation. Clinical continuity. Switch to

paperbased documentations uh if health care systems are obviously unavailable, which we do do. use backup systems for critical services such as labs imaging prescriptions. Psychological safety obviously we need to reassure staff um reort incidents obviously won't lead to blame. Offer immediate support we could have like IT floor walkers who obviously can guide staff in real time. So recovery and support after the attack debrief and lessons learned. Obviously, we need to hold structured reviews and debriefs within the clinical and IT teams to identify gaps. We need to share findings openly to build trust and obviously improve resilience, well-being and support. We need to recognize the stress of cyber attacks and they cause especially if patient care was

disrupted. Provide counseling and peer support for the staff affected. Continuous improvement. Obviously, we need to update training materials with real world scenarios. Strengthen the vendor contracts and supply chain security in any organization regardless of cyber security mindset or profession. Human health and safety must always be the number one priority. Let's commit to putting people first, review practices, champion a culture of safety, and ensure every decision keeps human well-being at the forefront. Thank you very much everybody.

>> Uh would you like any questions? Yeah. If you've got any questions, sorry. Yeah. >> Yeah. Yeah. >> Sorry. I didn't realize you had >> Yeah. I was like, do you want questions? Sorry. >> Yeah. Yeah. Yeah. >> Hi, thank you so much for your talk. I didn't realize that physical attacks and uh exploitation were present in the healthcare industry. um what place is there for IT or security teams to be able to advise on some of the more physical bound risks of um infiltrators or impersonators in healthcare settings as well as other public public sector settings. >> It's a good question because I don't think obviously it would supply our cards, our ID cards and stuff granted but it would

be tricky. It's something that has to be manned from security I think at the front door because as you know as well as I know people can fake have fake ID cards. How security how how it could do it I don't know whether you could have a special emblem maybe on the card um you know like the holographic stickers or something like that. Maybe that might distinguish it. I don't know. I don't know much about um ID cards to be honest. Um I'm not an expert in that area. Um but maybe something that's quite distinctive maybe to a trust um that couldn't be replicated um by the hacker or the attacker should we say cuz can't call you hackers. So

>> call me a hacker. I'll get offended. >> Thanks.

>> I think we got another question. Oh, >> yeah. >> Oh, I'm sorry. Apologies. Sorry. >> You are. >> Thank you. Uh, that was a great talk. Thank you. Um, >> in your experience having worked in different environments within healthcare, how do you view being within a custody suite environment? I cannot imagine the pressure and the stress of that environment versus any other healthcare environment. Do you see different security challenges or different controls that you have to apply given that not only is it confidential data people are you know poorly but also there's that that that criminal evidence side of things that can kind of uh change things. Is there something different that you have to

apply in that situation or >> um again it's just it's it's not different obviously stuff like tailgating um it's very hard to get into a police custody usually because it's like Fort Knox um unless you've got that ID swipe. Um, hospital settings are very different. Obviously, anybody can walk into a hospital and like, you know, like that incident with that chat, just claim any you can get uniforms online. People can get hold of NHS landlords, you know. Um so it's the principles are probably the same, but obviously it's a lot tighter in custody. >> Um, what was the rest of your question? So it's quite long >> just that if there was anything else as

a from a health care professional that you have to treat the data in a different way. Um I suppose you're treating all your patients equally. >> Yeah. I mean obviously staff obviously have to have an element of clearance as well. Um to get in to do these roles. Um and we we use similar date you know MFAs. Um obviously I don't know from a police side what they use ITwise but obviously our side um we've patient records it's um it's a tricky one. So I think anything computer-wise is always going to get hacked. Um always anything that's going the only thing that doesn't get hacked is paper. Um unfortunately in life >> get stolen. >> Sorry it does it does get stolen. Yes,

you are right. It does get stolen. We try not to. Um but yes um it's I think it's a tricky one to man um but nothing's done too different the principles I think there's tighter restrictions probably in the IT department who has access to what records and what information >> so yeah >> all right >> there can I >> are we good yeah I think we're good >> yeah okay thank you >> thank you very