Healthcare Employees Are Vulnerable to Phishing Attacks, According to Study

The healthcare industry is being heavily targeted by cybercriminals and phishing is one of the most common methods they are using to gain access to healthcare networks and, as a result, sensitive data. The number of successful phishing attacks on healthcare institutions is a serious cause for concern.

OCR identified email as being the main location of breached ePHI at HIMSS19, and the highest risk of data breaches come from phishing attacks.

Is the high number of successful phishing attacks mostly down to the healthcare industry being targeted more than other industry sectors? Or is it as a result of healthcare employees being more susceptible to phishing attacks? A recently published study has provided us with some answers.

A study has recently been conducted by Dr. William Gordon of Boston’s Brigham and Women’s Hospital and Harvard Medical School and his team to determine the susceptibility of healthcare employees to phishing attacks.

To conduct the study, Gordon and his team analysed data from 6 healthcare institutions in the United States that used vendor solutions or custom-developed tools to send simulated phishing emails to their employees.

The researchers analyzed the data collected from the simulated phishing emails sent to healthcare employees between August 2011 and April 2018. The data set included 95 simulated phishing campaigns which resulted in 2,971,945 simulated phishing emails being sent.

422,062 of these emails (14.2%) were clicked by the employees. The institutional click rate median ranged between 7.4% and 16.7% per campaign. In one of its campaigns, an institutions had a median click rate of 30.7%. Overall, 1 in 7 emails attracted a click across all institutions and all campaigns.

The emails were divided into three categories: Office-related, IT-related and personal. IT-related emails (e.g. password resets, security alerts) turned out to be the most successful, with an institutional click rate median of 18.6%.

No significant association between the year that campaigns were conducted and click rates was found by the researchers. However, they did discover that repeated phishing simulations reduced the chances of employees falling for a later phishing email.

Institutions that ran between 6 and 10 simulated phishing campaigns lowered the odds of a click on a phishing email by 0.511. When more than 10 campaigns were conducted, the odds were reduced by 0.335.

The researchers indicated that the healthcare systems are uniquely vulnerable to phishing attacks, mostly as a result of a high turnover of employees and a constant influx of new employees that may not have had any previous cybersecurity training. High endpoint complexity was also named as a factor that makes healthcare institutions vulnerable to phishing attacks.

From the high click rates, the researchers concluded that phishing is a major cybersecurity risk in healthcare.

Three particular tactics were suggested by the researchers to counter the threat from phishing:

  1. Prevent emails from being delivered to employees through the use of spam filtering technology
  2.  Implement multi-factor authentication to decrease the value of credentials
  3. Improve security awareness through cybersecurity training and phishing simulations.

The report ‘Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions’ was published on JAMA Network Open on March 8, 2019. DOI:10.1001/jamanetworkopen.2019.0393.