Phishing Remains Large Threat to Hospitals

Gordon

Cybersecurity is an increasingly important component of hospital operations, and now impacts clinical care delivery.

Phishing is a major cybersecurity risk, and in a new study, published in the March 8, 2019 issue of JAMA Network Open, researchers sought to understand the extent to which hospital employees were susceptible to phishing.

Phishing has several advantages for “phishers,” according to lead study author William J. Gordon, MD, MBI, medical director, Health Innovation Platform, Partners Personalized Medicine and associate physician, Brigham & Women’s Hospital. “First, it can be used to solicit credentials, which give them access to downstream systems, for example, to install ransomware or download data,” Gordon says. “This data can then be sold on the Dark Web for significant financial benefit. Additionally, phishers can use phishing emails to install malware, which can also lead to financial benefit through ransomware or data theft.”

In this multicenter quality improvement study, Gordon and colleagues collected data from six U.S. healthcare institutions that ran phishing simulations from August 1, 2011, through April 10, 2018. The institutions were anonymized for security reasons. For each institution, the researchers collected the number of emails sent and clicked for every phishing campaign. They also collected the content of the simulation email and categorized it into three categories: IT related, personal, or work related. They then built a regression model looking at the odds of clicking on a phishing simulation email based on several factors.

The study sample included more than 2.9 million simulated emails sent to employees at six hospitals across 95 phishing campaigns.  The overall click rate was 14.2% across all campaigns and emails. Repeated phishing campaigns were associated with decreased odds of clicking on a subsequent phishing email.

“First, hospital employees are susceptible to phishing simulation-nearly one out of seven emails were clicked by employees across all campaigns and all institutions,” Gordon says. “Second, in our regression model we showed that click-rates decreased as institutions ran more phishing campaigns, arguing for a benefit to phishing simulation.”

Related article: Five Ways to Improve Your Health Organization’s Cybersecurity

Healthcare executives should be aware that cybersecurity will increasingly impact the healthcare sector, and has the potential to disrupt clinical operations, leading to delayed care, canceled procedures, diverted ambulances, reputational loss, and significant financial cost, according to Gordon.

“Phishing is an important risk and strategies to reduce the risk of employees engaging with phishing emails should be understood,” he says.

A piece of the bigger picture

Phishing simulation is just one component of a larger information security program, according to Gordon.

“While our study showed that phishing simulation reduced the risk of clicking on subsequent simulated phishing emails, the risk never reached zero, which suggests multiple strategies are needed to reduce risk,” he says.

Some of the ways that healthcare executives can prevent phishing include:

• Better password controls using two-factor authentication

• Email filtering and auto-detection of phishing emails, along with other advanced email verification techniques

• Phishing simulation and awareness

• Employee training 

“Phishing simulation-and phishing training and awareness-should be a core component of that larger information security program,” Gordon says.