1 in 7 Phishing Emails Opened by Healthcare Workers

For some time now, healthcare has been in the cross hairs of hackers worldwide. Crippling ransomware attacks have sent some hospitals back to using pen and paper to survive, and Personally Identifiable Information (PII) has been stolen from countless patients and sold on the dark web for $10 to $1,000 per file. A recent study finds healthcare employees click on one out of seven phishing emails. Maybe not shocking news, but most malware attacks on healthcare start with phishing emails aimed at employees. In an attempt to shed some light on the subject, recent research on email phishing click rates by employees in the healthcare industry are highlighted in a report published in JAMA Network Open.

The report focused on six different healthcare institutions in the US from 2011 to 2018. The goal was to find how vulnerable employees are to opening phishing emails. Over those seven years, 95 simulated phishing campaigns were launched on healthcare entities. Overall, the click rate by employees was 14.2% of all emails sent. That totals 422,062 opened emails that could have been the start of malware attacks. The overall median click rate of all involved in the study is 16.7% but went as low as 7.4% and as high as 30.7% at different institutions. However, the good news is that the more employees were exposed to email phishing, the fewer emails were opened. But that result has researchers wondering if employee awareness increased because of the continued simulated phishing attacks, and once the campaign stopped, would the click numbers begin to increase again?

With so much on the line with healthcare hacks, this study looks at just how vulnerable the industry is. Although it did expose that phishing emails are still very much a problem for healthcare, hopes are high that the numbers will decrease over time.

Cybersecurity education for employees of all industries cannot be overlooked as a critical part of getting click rates down, as this report shows increased awareness of phishing emails helps lower click rates. Below are tips for all users, healthcare employees or not, to keep click rates down and malware from getting in.

  • Install the latest system updates and security patches updated on all devices as soon as they are available.
  • When in doubt, throw it out. Use a healthy dose of suspicion for all emails, especially those you’re not expecting or are from unknown senders. Make IT aware of suspicious emails as they will investigate them further.
  • Don’t open attachments or follow links unless you’re 100% sure they are legitimate.
  • If you want to verify a suspicious email yourself, don’t use contact information included in the email, it could be a set-up. Search the web for official contact information. If you are familiar with the sender, start a completely new email to confirm or send a text or place a phone call.
  • Beware email subject lines designed to get a reaction. Whether work-related or personal, any email directing you to take an action, especially urgently, should automatically be suspicious, particularly about those asking you to verify personal information.