The healthcare sector is uniquely vulnerable to phishing attacks, due to high employee turnover and influx of new employees who may lack previous cybersecurity training, according to a new report published in the Journal of the American Medical Association.
William Gordon, MD of Harvard Medical School and Boston’s Brigham and Women’s Hospital led a team of researchers to determine whether healthcare was more susceptible to phishing campaigns than other sectors, by studying six diverse healthcare organizations from 2011 to 2018.
The researchers performed 95 simulated phishing campaigns, sending about 3 million emails to the studied organizations’ employees. In total, the employees opened 422,062 of the malicious emails, or about 14 percent.
The median click rate ranged from about 7.4 percent to 30.7 percent, with an overall median click rate of 16.7 percent across all organizations and campaigns. The total click rate was about one out of seven simulated phishing emails.
The open rate did not vary by size of the organization, and office-related emails were not significantly associated with click rates. However, the researchers determined personal emails were significantly associated with increased click rates.
But what’s notable is that the researchers determined that those numbers significantly decreased with subsequent campaigns.
“Increasing campaigns were associated with decreased odds of clicking on a phishing email, suggesting a potential benefit of phishing simulation and awareness,” the researchers wrote. “Employee awareness and training represent an important component of protection against phishing attacks.”
“One method of generating awareness and providing training is to send simulated phishing emails to a group of employees and subsequently target educational material to those who inappropriately click or enter their credentials,” they added.
Phishing simulation is a common practice across all sectors and has been used in healthcare as a training and improvement initiative. The researchers explained simulated emails should appear to look like legitimate phishing emails. When an employee opens the simulation, it provides “a real-time opportunity to provide short phishing education to the employee.”
The researchers examined the practice of phishing simulations to determine the extent of healthcare’s vulnerabilities and potential determinants of phishing vulnerabilities.
“Healthcare institutions conduct phishing simulations to raise awareness and identify employees who may benefit from education and training,” the researchers wrote. “Under simulation, a large number of employees click on phishing emails, consistent with findings across other industries.”
“The odds of clicking on a phishing email decreased with greater institutional experience, which we hypothesize may be due to the benefit of running phishing simulation campaigns for employee education and awareness,” they added.
Further, the researchers noted that there was a wide range of click rates between campaigns, which they hypothesize is due to prior employee exposure to phishing simulations, complexities of the individual phishing email, timing, and institutional factors, such as messaging.
Healthcare is also especially vulnerable to these attacks, not just due to employee turnover, but also due to “significant end point complexity.”
“Every employee smartphone that is connected to the network is a potential risk, as are other networked devices,” the researchers wrote. “Hospital information systems are highly interdependent. An EHR is dependent on a laboratory information system to display clinical results.”
“The laboratory information system, in turn, is dependent on a network connection to the laboratory analyzer system to process results,” they continued. “Attacking one system could significantly influence multiple downstream systems… It only takes one successful phishing email, sent to one user, to shut down a critical system, potentially disrupting care across an entire organization.”
Phishing simulation and awareness reduces the open rate of phishing emails. But the researchers also suggested that organizations can also employ filters to prevent users from receiving the malicious emails in the first place. Multi-factor authentication can also reduce the risk, as it reduces the value of usernames and passwords – a key target for many phishing campaigns.
The JAMA study upheld a recent HIMSS report that found phishing and negligent insiders leave healthcare organizations vulnerable to attack.
“Current click rates in phishing simulations at US healthcare organizations indicate a major cybersecurity risk,” the JAMA researchers wrote. “These click rates highlight the importance of phishing emails as an attack vector, as well as the challenge of securing information systems.”
“Repeated campaigns were associated with improved click rates, suggesting that simulated phishing campaigns are an important component of a proactive approach to reducing risk,” they added. “It’s necessary for all members of the healthcare community to understand this risk, particularly as safe and effective health care delivery becomes increasingly dependent on information systems.”