Is the healthcare sector uniquely vulnerable to phishing attacks? A recent report published in the Journal of the American Medical Association says yes, with research to back that claim.

A team of researchers led by William Gordon, MD of Harvard Medical School and Boston’s Brigham and Women’s Hospital set out to answer the question, “Are employees at US healthcare institutions susceptible to phishing attacks?” The short answer: Yes!

The final study included 6 geographically dispersed US healthcare institutions. Researchers sent a total of 95 simulated phishing campaigns, totaling nearly 3 million emails between August 2011 and April 2018. Of those emails, 422,062 (14.2%) were clicked.

Nearly 1 in 7 simulated phishing emails sent during the study were clicked on by employees.

The study also found that the size of the organization did not impact their employee’s willingness to click on a phishing simulation. The researchers concluded that personal emails yielded a significantly higher click rate than office-related emails. IT-related emails were also sent, for example, password reset requests or security alerts, which produced the most clicks among employees.

Healthcare – uniquely vulnerable

The report points out that healthcare systems are “uniquely vulnerable” to phishing attacks, citing the high employee turnover at hospitals and the constant influx of new employees who have had no previous cybersecurity training as the reason. The report also points out the complexity of endpoints within hospitals that could be targeted by cybercriminals, another reason healthcare faces significant vulnerabilities. Hospital interdependency on information systems also poses risks. For example, an Electronic Health Record may be dependent on laboratory information, which would be dependent on a network connection to process those results – meaning an attack on one could affect multiple systems.

What can we learn from this study?

The study found that increasing campaigns did in fact, decrease the odds of an employee clicking on a phishing email. Institutions that conducted between 6 and 10 simulations saw decreased odds, 0.511 lower and 0.335 lower when over 10 campaigns were run.

This suggests that phishing simulations are a great training tool to help employees spot phishing emails and keep the security risk of phishing top-of-mind.

In the end, researchers conclude that the phishing simulation click rates represent a major cybersecurity risk for the healthcare sector.

Recommendations to combat phishing in healthcare

The report includes 3 recommendations for preventing or minimizing the consequences of a phishing attack.

  1. Prevent phishing emails from hitting employees’ inboxes to begin with.This can be done by using technology to filter emails for suspicious patterns or by indicating when emails are being sent from an external source.
  2. Use Multi-Factor Authentication (MFA).MFA can be used as a means of making credentials less valuable to cybercriminals.
  3. Improve security awareness. Employee security awareness training should be a top priority for every organization. That training should include phishing simulations.