Anti-Phishing Solutions for Healthcare Providers

Phishing is main method used by hackers to gain access to healthcare data, but fortunately there are a number of anti-phishing solutions for healthcare providers that can be employed to protect networks, and the computers that connect to them.

While software solutions can reduce the likelihood of phishing emails being delivered to inboxes, what happens when emails do sneak past anti-spam filters? How likely is it that healthcare workers will respond to a phishing email? According to a recent study, if five emails reach employee inboxes, at least one individual is likely to click on the link in the email or open the email and attachment.

Importance of Anti-Phishing Solutions for Healthcare Providers Highlighted by Recent Phishing Study

The study was conducted by PhishMe, a leading provider of user awareness phishing education services. The company provides phishing simulation training for the enterprise, and has sent over 8 million phishing training emails to more than 3.5 million enterprise employees. The recent study was conducted on a sample of 400 companies, with the data taken from 4,000 training simulations. The results of the study provide an insight into how effective phishing emails can be and how easy it is to fool workers that have received no anti-phishing training.

Response rates to the phishing simulation emails varied depending on the type of phishing email sent, whether the recipient was male or female, and what industry the recipient of the training email worked in.

Different categories of phishing emails were sent using common themes used by cybercriminals. Phishing emails asking recipients to perform computer updates were the least effective, but still had a response rate of 10%. The most effective phishing emails were found to be those that appeared to come from within the company. Office communications had a response rate of 22%, while emails relating to finance and contracts had a response rate of 20%.

Under the business communication scenario, phishing emails with the subject line of “File from Scanner” resulted in a click through rate of 36%, while emails with a subject of “unauthorized access” had a click through rate of 34%. Package delivery phishing emails – those which claim that a package delivery was attempted and failed – had a response rate as high as 49% for the education sector – almost half of employees. The figure was 41% for the agriculture industry and the same for the Pharma and biotechnology industries. Healthcare workers fared better under this scenario, with only 19% responding.

The average response rate for the package delivery phishing email simulation benchmarking exercise, across all industry sectors, was 26%. Overall, across all types of phishing emails, sent to all industries, 35% of staff members failed to recognize at least one phishing email.

However, with practice employees were found to rapidly learn how to identify phishing emails. The simulation exercises only needed to be run 3 or 4 times to dramatically reduce the response rates. By the time a fourth simulation had been run, the response rate fell to just 1%.

The results of the study show that if an attacker was able to bypass spam filters and target an organization, the likelihood of members of staff falling for a phishing scam and at least opening an email was considerable. A failure to provide staff members with any training on how to identify a phishing email could potentially result in many users falling for the campaign. As the Anthem, Community Health Systems and Premera BlueCross data breaches show, it is all too easy for employees to fall for phishing campaigns and compromise networks (and millions of records).

The data also show that testing employees by running phishing simulation exercises can be hugely beneficial and can greatly reduce the risk of phishing emails being opened, or network-compromising actions taken by employees.

The Failure to Implement Anti-Phishing Solutions Can Result in an OCR Fine

As was recently highlighted by University of Washington Medicine, OCR financial penalties may not be avoided if members of staff fall for phishing emails. The audit that was triggered by the 90K data beach suffered by University of Washington Medical Center revealed potential violations of HIPAA Rules. UWM decided to settle the case for $750,000.

Had a risk assessment been conducted, and the threat from phishing been identified, action could have been taken to reduce risk to an acceptable level. The data breach could have been avoided, as well as the audit, and also the hefty HIPAA fine. Anti-phishing solutions are an important cybersecurity defense and healthcare organizations should bear in the mind the cost of failing to use anti-phishing solutions. They are likely to be much cheaper than an OCR fine.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of