Cofense, the leading provider of human-based phishing threat management solutions, has published new research that shows the healthcare industry lags behind other industry sectors for phishing defenses and is routinely attacked by cybercriminals who often succeed in gaining access to sensitive patient health data.
The Department of Health and Human Services’ Office for Civil Rights publishes a summary of data breaches reported by healthcare organizations that have involved more than 500 records. Each week, multiple email breaches are listed on the portal.
The Cofense report delves deeper into these attacks and shows that a third of all data breaches occur at healthcare organizations.
There are many examples of how simple phishing attacks have resulted in attackers gaining access to sensitive data, some of which have resulted in the theft of huge volumes of data. The phishing attack on Augusta University healthcare system, reported in August 2018, resulted in the health data of 417,000 patients being breached.
Cofense performed a cross-industry comparison of 20 verticals including healthcare, the financial services, technology, manufacturing, and the energy sectors to determine how susceptibility and resiliency to phishing attacks varies by industry sector. The report compared email reporting versus phishing susceptibility and showed that healthcare has a resiliency rate of just 1.34, compared to 1.79 rate for all industries, 2.52 for the financial services, and 4.01 for the energy sector.
One of the main reasons for the low healthcare score has been historical underinvestment in cybersecurity, even though the industry is heavily regulated and healthcare organizations are required by law to provide security awareness training to employees and must implement a range of controls to protect patient data.
The high cost of data breaches – $408 per record for healthcare organizations compared to a cross-industry average of $148 per record – has meant that healthcare organizations have had to invest more in cybersecurity. While still worse than other industries, the increased investment has seen improvements made although there is still plenty of room for improvement.
By analyzing responses to simulated phishing emails sent through the Cofense PhishMe phishing simulation platform, the Leesburg, VA-based company was able to identify the phishing emails that are most commonly clicked by healthcare employees. The top clicked messages were invoice requests, manager evaluations, package delivery emails, Halloween eCard alerts, and beneficiary changes, each of which had a click rate of over 18%. Having access to this data helps healthcare organizations address the biggest risks. The report also details how, through training and phishing simulations, susceptibility to phishing attacks can be dramatically reduced.
The report includes a case study that shows how by using the Cofense platform, one healthcare organization was able to stop a phishing attack within just 19 minutes. It is not uncommon for breaches to take more than 100 days to identify.
The Cofense Healthcare Phishing Report can be downloaded here (PDF)