Study Finds Healthcare Employees Vulnerable to Phishing Emails

Phishing attacks against large organisations have become increasingly common in recent years. Sectors that deal with sensitive information, such as the healthcare sector and financial industries, are particularly at risk of attack. Credit card numbers and health information have significant black-market values, making them potentially lucrative targets. A successful phishing or ransomware campaign can earn a hacker thousands of dollars with minimal effort on their part.

Although healthcare organisations have diverted many resources towards improving their cybersecurity infrastructure, the threat actors behind phishing attacks are adept at designing campaigns to avoid these defences. One must only consider the rate at which healthcare organisations report data breaches to realise that phishing attacks pose a severe threat to healthcare data.

To strengthen an organisation’s defences against these attacks, it is critical to discern whether healthcare employees are particularly vulnerable to phishing attacks. Dr William Gordon of Boston’s Brigham and Women’s Hospital and Harvard Medical School conducted a study to investigate this question. The paper, entitled “Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions”, was published in JAMA on March 9.

Gordon and his colleagues analysed data from phishing simulations conducted by healthcare organisations to determine how susceptible healthcare employees are to phishing attacks. The data were taken from phishing simulation campaigns conducted between 2011 and 2018. The six healthcare organisations in the study conducted 95 trial campaigns, sending 2,971,945 emails. In 422,062 cases (14.2%), the emailed was convincing enough to fool an employee into clicking the link.

The researchers placed the emails into three categories; office related, personal, or information technology (IT) related. Healthcare employees were more likely to respond to an email if it claimed to be related to some IT issue. The median institutional success rate for IT-themed emails was 18.6%.

The researchers determined that healthcare employees are susceptible to phishing attacks. They cited various factors that could be the cause of this vulnerability. In healthcare, there is considerable endpoint diversity, and this complexity can make healthcare organisations vulnerable. Healthcare organisations often see a high turnover of staff and a constant influx of new employees, many of whom may not have received security awareness training.

The researchers found that organisations were able to decrease click rates by conducting multiple phishing email simulation campaigns. The campaigns were effective at lowering the odds of an employee clicking a phishing link. The odds were 0.511 lower when 6-10 campaigns were conducted and 0.335 lower when more than 10 campaigns had been conducted.

The authors concluded: “It is necessary for all members of the health care community to understand this risk, particularly as safe and effective health care delivery becomes increasingly dependent on information systems.”

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at