How susceptible are hospital employees to phishing attacks?

March 11, 2019

Cybersecurity threats are a rising problem in society, especially for health care organizations. Successful attacks can jeopardize not only patient data but also patient care, leading to cancellations and disruptions in the critical services that hospitals provide. While many hospitals have taken steps to educate, inform and forewarn their employees about cybersecurity attacks, few studies have quantified how susceptible hospital employees are to phishing attacks. A new study led by investigators from Brigham and Women's Hospital addresses these questions through a multicenter study that aggregated data from six health care institutions that ran phishing simulations over the course of seven years. The team reports a high click rate for simulated phishing but also a reduction in click rates with increasing campaigns, suggesting a potential benefit for raising awareness. The team's findings are published in JAMA Network Open.

"Information security is increasingly important for health care organizations, and cybersecurity attacks are a major risk to a hospital's ability to operate and deliver care," said corresponding author William Gordon, MD, MBI, of the Brigham's Division of General Internal Medicine and Primary Care. "But our study suggests that while the risk is high, there is an opportunity to mitigate it through training."

Phishing attacks via email can lure individuals into disclosing sensitive personal information or clicking on links that download malicious software. Many organizations have made a concerted effort to train their employees to recognize and report these attacks by sending simulated phishing emails, ranging from office- and IT-related to personal-related correspondence, and subsequently training those who inappropriately click or enter their credentials.

Brigham investigators aggregated data from six anonymized U.S. health care institutions representing a broad spectrum of care and geography. In total, they analyzed click rates for more than 2.9 million simulated emails. The team reports that 422,052 of these emails were clicked (14.2 percent) -- roughly one in every seven. However, the odds of clicking on a phishing email decreased with increasing campaigns. After institutions had run 10 or more phishing simulation campaigns, the odds went down by more than one-third.

The authors note that many factors may go into why an individual clicks on an email and that their study, which did not drill down to the level of individual employees, could not take all of these complexities into account. In addition, the study could not answer whether the improvements may be sustainable, and for how long, after a campaign ends.

"The rates that we report here are consistent with findings across other industries, where click rates can range from 13 to 49 percent, depending on the industry, but we know that in health care the stakes are high. Patient data, patient care, patient trust and financial stability may be on the line," said Gordon. "Understanding susceptibility, but also what steps can be taken to mitigate it, are critical as cyberattacks continue to rise."
-end-
This work was conducted with support from Harvard Catalyst/Harvard Clinical and Translational Science Center (National Center for Advancing Translational Sciences, National Institutes of Health award UL1 TR001102) and by financial contributions from Harvard University and its affiliated academic health care centers. A co-author of this work reports being a previous employee of Cofense.

Paper cited: Gordon, W et al. "Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions" JAMA Network Open DOI: 10.1001/jamanetworkopen.2019.0393

Brigham and Women's Hospital

Related Health Care Articles from Brightsurf:

Study evaluates new World Health Organization Labor Care Guide for maternity care providers
The World Health Organization developed the new Labor Care Guide to support clinicians in providing good quality, women-centered care during labor and childbirth.

Six ways primary care "medical homes" are lowering health care spending
New analysis of 394 U.S. primary care practices identifies the aspects of care delivery that are associated with lower health care spending and lower utilization of emergency care and hospital admissions.

Modifiable health risks linked to more than $730 billion in US health care costs
Modifiable health risks, such as obesity, high blood pressure, and smoking, were linked to over $730 billion in health care spending in the US in 2016, according to a study published in The Lancet Public Health.

Spending on primary care vs. other US health care expenditures
National health care survey data were used to assess the amount of money spent on primary care relative to other areas of health care spending in the US from 2002 to 2016.

MU Health Care neurologist publishes guidance related to COVID-19 and stroke care
A University of Missouri Health Care neurologist has published more than 40 new recommendations for evaluating and treating stroke patients based on international research examining the link between stroke and novel coronavirus (COVID-19).

Large federal program aimed at providing better health care underfunds primary care
Despite a mandate to help patients make better-informed health care decisions, a ten-year research program established under the Affordable Care Act has funded a relatively small number of studies that examine primary care, the setting where the majority of patients in the US receive treatment.

International medical graduates care for Medicare patients with greater health care needs
A study by a Massachusetts General Hospital research team indicates that internal medicine physicians who are graduates of medical schools outside the US care for Medicare patients with more complex medical needs than those cared for by graduates of American medical schools.

The Lancet Global Health: Improved access to care not sufficient to improve health, as epidemic of poor quality care revealed
Of the 8.6 million deaths from conditions treatable by health care, poor-quality care is responsible for an estimated 5 million deaths per year -- more than deaths due to insufficient access to care (3.6 million) .

Under Affordable Care Act, Americans have had more preventive care for heart health
By reducing out-of-pocket costs for preventive treatment, the Affordable Care Act appears to have encouraged more people to have health screenings related to their cardiovascular health.

High-deductible health care plans curb both cost and usage, including preventive care
A team of researchers based at IUPUI has conducted the first systematic review of studies examining the relationship between high-deductible health care plans and the use of health care services.

Read More: Health Care News and Health Care Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.