Healthcare Employees Vulnerable to Phishing Attacks

The healthcare industry appears to have more than its fair share of phishing attacks. Barely a week goes by without a major phishing attack being reported by a healthcare provider in the United States.

Healthcare organizations are targeted by cybercriminals as they hold valuable data. Healthcare records contain information that can be used for multiple types of fraud and the records sell for big bucks on darknet marketplaces. Successful attacks can be highly profitable.

Investment in cybersecurity defenses has improved, but phishing attacks offer a way to bypass perimeter defenses. Constantly evolving tactics also help to ensure that phishing emails are delivered to inboxes. As healthcare data breach reports show, many of those messages fool healthcare employees into revealing their login credentials.

To determine whether healthcare employees are particularly susceptible to phishing attacks, a study was conducted by Dr. William Gordon of Boston’s Brigham and Women’s Hospital and Harvard Medical School. The results of the study were recently published in JAMA.

Gordon and his colleagues analyzed data from phishing simulations conducted by healthcare organizations to determine how susceptible healthcare employees are to phishing attacks. The data were taken from phishing simulation campaigns conducted between 2011 and 2018.

In total, 2,971,945 emails had been sent, in 95 campaigns, conducted by 6 healthcare organizations. Out of those emails, 422,062 fooled employees into clicking a link – 14.2%. One in 7 emails resulted in a click.

There appeared to be no correlation between click rates and year, but some types of phishing emails were found to be more effective than others. Emails related to IT were most likely to get a response. The median institutional click rate for IT-themed emails was 18.6%. Personal emails were also successful.

The researchers determined that healthcare employees are susceptible to phishing attacks, and this was attributed to various factors. In healthcare, there is considerable endpoint diversity, and this complexity can make healthcare organizations vulnerable. In healthcare there is also a high turnover of staff and a constant influx of new employees, many of whom many not have received security awareness training.

The researchers found that organizations were able to decrease click rates by conducting multiple phishing email simulation campaigns. The campaigns were effective at lowering the odds of an employee clicking a phishing link. The odds were 0.511 lower when 6-10 campaigns were conducted and 0.335 lower when more than 10 campaigns had been conducted.

Along with technology to block phishing emails, 2-factor authentication to prevent the theft of credentials from allowing accounts to be accessed, running phishing email simulations helped to reduce risk.     

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of