New research from Brigham and Women’s Hospital in Boston finds hospital employees are extremely vulnerable to phishing attacks. The study highlights just how effective phishing remains as a tactic—the need for defense against and awareness of email scams is more critical than ever.
The research was a multi-center exercise that looked at results of phishing simulations at six anonymous healthcare facilities in the US. Research coordinators ran phishing simulations for close to seven years and analyzed click rates for more than 2.9 million simulated emails. Results revealed that 422,052 (14.2 percent) of phishing emails were clicked, which is a rate of one in seven.
Patient data at risk
Security professionals are acutely aware of the intense scrutiny placed on patient data and the regulatory requirements around HIPAA (Health Insurance Portability and Accountability Act). This new research on phishing in healthcare puts a spotlight on the vulnerability of this kind of data.
“Patient data, patient care, patient trust and financial stability may be on the line,” said study author William Gordon, MD, MBI, of the Brigham’s Division of General Internal Medicine and Primary Care. “Understanding susceptibility, but also what steps can be taken to mitigate it, are critical as cyberattacks continue to rise.”
Odds of clicks decreased with time
There was a positive finding in the study. Researchers noted that clicks on phishing emails went down with increasing campaigns. After institutions had run 10 or more phishing simulation campaigns, the odds of users clicking on fraudulent emails went down by more than one-third.
The findings make the case for solid awareness efforts to educate about the dangers of phishing, said Gordon.
“Things get better over time with awareness, education, and training,” he said. “Our study suggests that while the risk is high, there is an opportunity to mitigate it.”
Healthcare industry struggles with breach rate
Chris Carmody, senior vice president of enterprise technology and services at the University of Pittsburgh Medical Center (UPMC) and president of Clinical Connect Health Information Exchange, noted in an interview with Reuters Health News that phishing is a challenge in an increasingly digital healthcare environment.
“This is definitely a problem in all industries where people rely on e-communications, especially email,” Carmody said in the interview. “And health care is no different. We see clinical users whose primary focus is on patient care, and we’re trying to do our best to help them develop the knowhow to know what to look for so they can identify phishing attempts and report them to us.”
Carmody estimates that his security group at UMPC, which also runs phishing simulations, gets about 7,500 suspect emails forwarded to them each month, with about 12.5 percent of them being actually malicious.
But any number puts a healthcare facility at risk, as these kinds of institutions are particularly vulnerable to breach. A separate report from Beazley Breach Response finds that healthcare organizations suffered the highest number of data breaches in 2018 across any sector of the US economy. Healthcare institutions have a 41 percent reported breach rate, the highest of any industry.
Other figures from ratings firm SecurityScorecard find the healthcare industry is one of the lowest ranked industries when it comes to security practices. The report, titled SecurityScorecard 2018 Healthcare Report: A Pulse on The Healthcare Industry’s Cybersecurity Risk, looked at data from 1200 healthcare entities and ranked healthcare 15th out of 17 industries for overall cybersecurity posture.
The SecurityScorecard report noted the healthcare industry is one of the lowest performing industries in terms of endpoint security, posing a threat to patient data and potentially patient lives. In addition, 60 percent of the most common cybersecurity issues in the healthcare industry relate to poor patching cadence.
Healthcare phishing in the headlines
Healthcare phishing attempts that devastate facilities and lead to patient data leaks regularly make news headlines. In December 2018, an employee of Memorial Hospital at Gulfport, Mississippi was tricked by a phishing scheme and the result was the breached data of 30,000 patients.
The breach was discovered when investigators noticed an unauthorized party had gained access to an employee email account earlier in the month. Among the patient data leaked were emails, names, dates of birth, health data, and information about services patients had received at MHG. Social Security numbers were also leaked on some patients.
Phishing on the rise all over
Massive malware campaigns like Emotet and TrickBot have pushed phishing levels higher this year in many industries. Kaspersky Labs most recent Spam and phishing in 2018 report finds the number of phishing attacks that took place in 2018 more than doubled from the previous year.
Research from Sophos finds that 45 percent of UK businesses were hit by phishing attacks between 2016 and 2018. The study also revealed 54 percent had identified instances of employees replying to unsolicited emails or clicking the links in them.
The Malwarebytes 2019 State of Malware report finds all sectors are impacted by the kind of malware served up in phishing emails. Trojans like Emotet and TrickBot are particularly problematic in education, manufacturing, and retail. While healthcare fared poorly in the Brigham and Women’s study, every vertical is plagued by phishing.
How can business defend against phishing attacks?
Of all of the cybersecurity risks to organizations, the human element is always the toughest to mitigate. But, as the healthcare phishing study shows, user awareness does have a positive impact on click rates—the more campaigns were launched, the fewer employees who fell prey to fake emails.
There are plenty of free awareness and anti-phishing resources available that businesses can tap for training internally. For example, our anti-phishing guide offers suggestions and awareness tips for both employees and customers. And Google has an anti-phishing test you can access online to familiarize users with common phishing techniques. Of course, there are also many companies that offer training products for purchase.
However businesses choose to train employees, it’s important to have regular access to information and tools that promote awareness of evolving phishing techniques. In the healthcare industry, it’s not just about the bottom line—it could actually save lives.