HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Study Shows Value of Phishing Simulation Exercises

A recent report indicates the probability of members of staff responding to a phishing campaign can be effectively reduced to zero if phishing simulation exercises are completed regularly.

The Growing Threat of Healthcare Phishing Attacks

The Office for Civil Rights recently issued its first financial penalty to an organization that suffered a data breach after its employees responded to a phishing campaign. The case resulted in University of Washington Medicine agreeing to a $750,000 fine to settle potential HIPAA violations. UWM had already had to cover significant data breach resolution costs after suffering a 90,000-record breach. The fine and data breach costs could potentially have been avoided if staff members had been trained how to identify phishing emails.

The healthcare industry is now being targeted by cybercriminals, and phishing is the most commonly used method of gaining access to patient data. Even when multi-million-dollar security defenses are employed to keep networks secure, a single response to a phishing email can be all it takes to compromise the records of hundreds of thousands of medical records. In the case of Anthem Inc., a sophisticated phishing campaign resulted in the theft of 78.8 million subscriber records. Premera BlueCross also reportedly suffered its 11-million record data breach due to employees responding to phishing emails, and last year the 4.5 million-record Community Health Systems data breach was also caused as a result of members of staff responding to phishing emails.

Value of Phishing Simulation Exercises Highlighted by PhishMe Report

Phishme, a provider of human-phishing defense solutions, recently released the results of an anti-phishing study conducted on 400 companies around the world. The company has now sent over 8 million phishing emails as part of its phishing simulation exercises. In total, 3.5 million enterprise employees from 23 countries around the world have had their phishing identification skills put to the test using the company’s phishing simulation exercises.

The 2015 Enterprise Phishing Susceptibility Report highlights the benefit of conducting phishing simulation exercises on staff members. When it comes to phishing email identification, it would appear that practice makes perfect. Employees can hone their scam email identification skills with training, which will reduce the probability of them responding to a real phishing email.

Phishing is Now the Most Common Attack Vector Used by Cybercriminals

Cyberattacks are conducted using a variety of techniques, but the most common attack vector is phishing. The technique is also hugely successful. Research shows that approximately 20% of phishing emails result in a user falling for the scam.

When hackers devise campaigns to appear as office communications, they are more likely to result in the emails being opened and action being taken. There was a 22% click through rate from office-communication phishing emails according to the report.

Phishme data show that an employee who responds to one phishing campaign is likely to fall for a second, and a third. 67% of individuals who responded to a phishing email were repeat offenders. If individuals are unaware of the telltale signs that an email or website is malicious, they will keep on making the same mistakes.

However, after taking part in phishing simulation exercises, the likelihood of them falling for a phishing campaign rapidly reduces. In fact, after four phishing simulation emails their susceptibility to respond a fifth time falls by 97.14% on average.


Image Source: Phishme Enterprise Phishing Susceptibility Report, 2015

The report revealed the most common subject lines that resulted in employees falling for phishing campaigns. 36% of individuals opened an email with a subject line “file from scanner”, while 34% opened emails with a subject of Unauthorized Activity/ Access.

Phishing emails are usually responded to quickly. In 87% of cases, a response happens on the same day that the email is received. Most of the time, employees respond to the emails as soon as they open their email inbox. If a campaign is launched against a company and multiple emails are sent to members of staff, IT departments do not have much time to respond.

An analysis of data revealed that employees were most likely to open phishing emails in the morning, with 8AM the most likely time for a successful attack to take place. When employees are arriving at work and are sifting through a large number of emails they are likely to be less vigilant and are more susceptible.

Fortunately, it is possible to train staff how to identify a phishing campaign, although phishing email identification skills must be put to the test. The more exercises that are completed, the better employees will get at identifying scam emails. Typically, only five training emails need to be sent before the likelihood of an employee responding to a campaign effectively drops to 0%.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.