The healthcare sector is frequently attacked by phishers seeking access to healthcare information located in email accounts. Oftentimes, email accounts include substantial quantities of highly sensitive protected health information (PHI). Augusta University Healthcare System reported a phishing attack in August 2018 in which multiple email accounts were accessed by unauthorized individuals. The PHI of 417,000 patients was contained in the breached email accounts.
Data from the HHS’ Office for Civil Rights indicates email is the most frequent location of breached PHI. In July, 14 out of 28 healthcare data breaches involved email, there were 11 email breaches in June and 9 email breaches in May.
Cofense Research Shows Healthcare Industry Lags Behind Other Industries in Resiliency to Phishing
Cofense (previously PhishMe), a security awareness training and anti-phishing solution provider, recently published an report of a study of phishing in the healthcare sector. According to the report – ‘Say “Ah!” – A Closer Look at Phishing in the Healthcare Industry’ – one-third of all data breaches affected the healthcare industry, with those breaches resulting in the theft or exposure of over 175 million healthcare records.
It is not surprising that hackers target the healthcare industry because of the vast volumes of extremely valuable information that healthcare organizations hold. Information such as health data, insurance data, Social Security numbers, birth dates, contact details, and financial information can be quickly marketed to identity thieves and scammers. Additionally, the healthcare industry’s investments in cybersecurity is much less compared to other industry sectors.
Information from Cofense shows that the healthcare industry fared worse than other verticals with regard to susceptibility and resiliency to phishing. Cofense determined susceptibility to phishing from failures to recognize phishing emails through its phishing simulation platform. To measure the resiliency rate to phishing, Cofense calculated the ratio of users that reported a phishing attempt via Cofense Reporter against users that didn’t.
The susceptibility percentage across all industries was 11.9% while the resiliency rate was 1.79. For the healthcare industry, the susceptibility percentage was 12.4% while the resiliency rate was 1.34. The resiliency rate for the insurance industry and energy sector were 3.03 and 4.01, respectively.
The last couple of years have seen cybersecurity budgets increase and there is now a much greater focus on security and risk management in the healthcare industry. The additional funds that have been made available for anti-phishing solutions is certainly helping, but there is still a lot of room for improvement.
Cofense also revealed how healthcare employees fall victim to phishers. The phishing email simulations showed that healthcare employees are most commonly tricked by a combination of social and business emails. Most often, healthcare employee are fooled by requests for invoices, manager evaluations, package shipping notices, and a Halloween eCard notifications. All of these phishing email subjects had a click through rate of over 21%.
Cofense Intelligence data show invoice request emails are often used to install ransomware. Simulations of these types of phishing emails saw 32.5% of healthcare employees fooled and only 7.2% reported the emails as suspicious. The Cofense Brief also provides information on the most often clicked phishing emails and makes several recommendations to healthcare providers that can help them reduce susceptibility to phishing attacks.
The Cofense Healthcare Industry Brief is available here.