The healthcare industry is being targeted by cybercriminals and phishing is one of the most common ways to gain access to healthcare networks and sensitive data. The number of successful phishing attacks on healthcare institutions is a serious concern.
Dr. William Gordon of Boston’s Brigham and Women’s Hospital and Harvard Medical School and his team conducted a study to determine the susceptibility of healthcare employees to phishing attacks.
For the study, Gordon and his team analyzed data from 6 healthcare institutions in the United States that used custom-developed tools or vendor solutions to send simulated phishing emails to their employees. The researchers analyzed data from simulated phishing emails sent to healthcare employees between 2011-2018, including nearly 3 million simulated phishing emails that had been sent in 95 simulated phishing campaigns.
14% of those emails were clicked by employees. The median institutional click rate ranged from 7.4% to 16.7% per campaign. One of the institutions had a median click rate of 30.7% for one of its campaigns. Across all institutions and all campaigns, 1 in 7 emails attracted a click.
The emails were classified into three categories: Office-related, personal, and IT-related. IT-related emails (e.g. password resets, security alerts) were the most successful, with a median institutional click rate of 18.6%. The researchers determined that repeated phishing simulations reduced the likelihood of employees falling for a subsequent phishing email.
The researchers pointed out the healthcare systems are uniquely vulnerable to phishing attacks, largely due to a high turnover of employees and a constant influx of new employees that may not have had any previous cybersecurity training. High endpoint complexity was also cited as a factor that makes healthcare institutions vulnerable to phishing attacks.
The researchers concluded from the high click rates that phishing is a major cybersecurity risk in healthcare.
To counter the threat from phishing the researchers suggest three tactics:
Use of spam filtering technology to prevent emails from being delivered to employees
Decrease the value of credentials by implementing multi-factor authentication
Improve security awareness through training and phishing simulations.
Don't leave your staff unprepared. Train new employees promptly and all employees annually. For expert training for your staff, contact HIPAAcraticRx. The report – Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions – was recently published on JAMA Network Open.