Phishing is popular because it works. Researchers, as part of a recent investigation published in JAMA Network Open, spent the past seven years studying the tactic, sending over 2.9 million simulated phishing attacks to employees across six different U.S. hospitals.
The results were stark: Roughly 1 in 7 of the simulated emails sent were clicked on by healthcare employees.
Leslie Corbo, assistant professor of cybersecurity for the School of Business and Justice Studies at Utica College and a co-author of the investigation, explains that there are several reasons that healthcare organizations are particularly vulnerable to this type of attack.
“Think about the way the phishing email itself is composed: A lot of times, attackers use a sense of urgency,” she says, “or the person thinks they are following an order.”
In other words, the high-stakes, high-speed, hierarchical world of medicine can push employees to react to phishing emails without pausing to fully evaluate the content and hyperlinks they contain — which should greatly disturb every leader across the healthcare industry.
Moreover, a recent Email Security Risk Assessment from Mimecast states that email impersonation attacks now account for 1 in every 350 emails in the healthcare, with 1 in 3,741 carrying malware. As these attacks continue to grow and evolve, organizations must find a way to combat them to protect valuable assets, such as patient data, from being compromised.
Physicians Are Concerned About Compromised Patient Data
Successful phishing emails often result in the compromise of sensitive data or the introduction of ransomware that’s capable of preventing a care team from meeting their patients’ needs.
“If the facility is affected by ransomware, the patient can be affected,” says Corbo. For example, surgery schedules might be disrupted or the wrong medications dispensed because the information caregivers rely upon is suddenly inaccessible.
“Those things come into a form of malpractice,” she says. “Someone could argue that the hospital wasn’t prepared.”
Physicians echoed those concerns in a 2017 survey conducted by Accenture and the American Medical Association. Seventy-four percent of those surveyed worried that cyberattacks could lead to a loss of electronic health record access and compromised patient data, while 53 percent were concerned that patients would be harmed.
Micro Trainings Can Make for Macro Results
The human factor makes it hard to combat phishing effectively. But, says Corbo, robust and ongoing training can make a noticeable difference in how healthcare staff handle suspicious emails.
“If you train once a year for the sake of compliance, you’re fooling yourself,” she says. “Employees get it after they’ve been provided regular training, and it doesn’t have to be an all-day event, or even an hour.”
Corbo notes that simulated attacks, like those used in the JAMA investigation, could be used to help employees improve their ability to detect phishing attacks, even in the midst of their busy workdays.
“It could be less than five minutes: a simulated phishing email, where, if they click on a link or open the attachment, it will connect them to training that takes two or three minutes,” she says.
And following a simulated attack, Corbo suggests the IT security team follow up a few days later, providing more general training to those who successfully avoid the simulation.
Combining such training with simple technology-based changes — such as keeping vulnerabilities patched and automatically tagging links and attachments in incoming emails with security reminders — can help keep employees from taking the bait.