Healthcare Industry Must do More to Deal with the Threat from Phishing

The benefit of conducting simulated phishing attacks has been well documented, yet many healthcare organizations do not put anti-phishing training to the test. Consequently, knowledge gaps may be allowed to persist which could jeopardize network security.

A recent study conducted by Wombat suggests the healthcare industry must do more to deal with the risk of phishing. Healthcare professionals’ knowledge of phishing threats does not appear to be up to scratch in several key areas.

Wombat’s Beyond the Phish report was prepared after the company assessed more than 20 million questions and answers on security threats. The Q&A was developed to test respondents’ ability to identify potential phishing attacks.

The study was conducted on a range of organizations including healthcare, finance, manufacturing, technology, and education. The report shows that 13% of healthcare respondents clicked on simulated phishing emails, compared to 9% in the manufacturing and energy sector. However, perhaps more telling was the number of questions from the Q&A that were missed by respondents.

31% of healthcare respondents missed questions in the assessment. Similar results were found in the energy and manufacturing sector, with 29% of questions missed. Healthcare respondents also fared particularly badly answering questions about protecting confidential information: A particular worry considering how cybercriminals are targeting the industry.

Healthcare respondents were also unsure about protecting mobile devices and the data stored on them. 25% of respondents missed questions in this section. Healthcare employees were also relatively poor at choosing safe passwords.

Phishing attacks via email are on the increase and the number of phishing websites being created has also soared in recent months. Earlier this year, a study conducted by the Anti-Phishing Working Group (APWG) showed that phishing websites increased by 250% from October 2015 to March 2016. Kaspersky Lab’s anti-phishing system was triggered almost 35 million times in the first quarter of 2016 alone and Symantec’s figures from 2015 show a 55% increase in spear-phishing campaigns targeting employees.

Training staff how to identify phishing emails and phishing websites is vital, but unless the training is put to the test, organizations will not be able to assess how effective the training has been. However, training and testing staff on phishing knowledge using simulated phishing attacks is only part of the story.

According to Wombat CEO Joe Ferrara, “To reduce cyber risk in organizations, security education programs must teach and assess end users across many topic areas, like oversharing on social media and proper data handling.” He went on to say that “Many of these risky behaviors exacerbate the phishing problem.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of