Study Confirms Healthcare Employees Are Susceptible to Phishing Attacks

The healthcare industry is being targeted by cybercriminals and phishing is one of the most common ways that they gain access to healthcare networks and sensitive data. The number of successful phishing attacks on healthcare institutions is a serious concern.

At HIMSS19, OCR highlighted email as being the main location of breached ePHI and the high risk of data breaches from phishing attacks.

Could the high number of successful phishing attacks be mostly down to the industry being targeted more than other industry sectors, or are healthcare employees more susceptible to phishing attacks? A recently published study has provided some answers.

Dr. William Gordon of Boston’s Brigham and Women’s Hospital and Harvard Medical School and his team conducted a study to determine the susceptibility of healthcare employees to phishing attacks.

For the study, Gordon and his team analysed data from 6 healthcare institutions in the United States that used custom-developed tools or vendor solutions to send simulated phishing emails to their employees.

The researchers analyzed data from simulated phishing emails sent to healthcare employees between August 2011 and April 2018. The data set included 2,971,945 simulated phishing emails that had been sent in 95 simulated phishing campaigns.

422,062 of those emails (14.2%) were clicked by employees. The median institutional click rate ranged from 7.4% to 16.7% per campaign. One of the institutions had a median click rate of 30.7% for one of its campaigns. Across all institutions and all campaigns, 1 in 7 emails attracted a click.

The emails were classified into three categories: Office-related, personal, and IT-related. IT-related emails (e.g. password resets, security alerts) were the most successful, with a median institutional click rate of 18.6%.

The researchers did not find any significant association between the year that campaigns were conducted and click rates, but they did determine that repeated phishing simulations reduced the likelihood of employees falling for a subsequent phishing email.

At institutions that ran between 6 and 10 simulated phishing campaigns, the odds of a click on a phishing email were 0.511 lower and 0.335 lower when more than 10 campaigns were conducted.

The researchers pointed out the healthcare systems are uniquely vulnerable to phishing attacks, largely due to a high turnover of employees and a constant influx of new employees that may not have had any previous cybersecurity training. High endpoint complexity was also cited as a factor that makes healthcare institutions vulnerable to phishing attacks.

The researchers concluded from the high click rates that phishing is a major cybersecurity risk in healthcare.

To counter the threat from phishing the researchers suggest three tactics:

  1. Use of spam filtering technology to prevent emails from being delivered to employees
  2. Decrease the value of credentials by implementing multi-factor authentication
  3. Improve security awareness through training and phishing simulations.

The report – Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions – was recently published on JAMA Network Open on March 8, 2019. DOI:10.1001/jamanetworkopen.2019.0393.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.