Study Confirms Healthcare Employees are Susceptible to Phishing Attacks

Cybercriminals are targeting the healthcare industry and one of the leading ways that access to healthcare systems and sensitive information is gained is through phishing.

Dr. William Gordon of Brigham and Women’s Hospital in Boston and Harvard Medical School and his colleagues performed a study to find out whether healthcare employees are particularly vulnerable to phishing attacks. They analyzed information from 6 healthcare establishments in the U.S. that utilized custom made tools or vendor solutions for sending simulated phishing emails to employees.

The researchers studied the data obtained from the simulations, which were sent between August 2011 and April 2018. 2,971,945 simulated phishing emails were sent in that time frame in 95 simulated phishing campaigns.

Employees clicked 422,062 (14.2%) of the emails. The median institutional click rate was between 7.4% – 16.7% per campaign. One institution had a median click rate of 30.7% for a campaign. Across all institutions and campaigns, 1 of 7 emails got a click.

The emails were categorized into three groups: personal, office-related and IT-related. The IT-related emails, which included security alerts and password reset requests, were clicked most often and had an 18.6% median institutional click rate.

The researchers found no significant connection between the year of conducting campaigns and click rates. However, they discovered that conducting multiple phishing simulations decreased the chances of employees being fooled by succeeding phishing emails.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

At institutions that conducted between 6 to 10 simulated phishing campaigns, the odds of employees clicking a phishing email were reduced by 0.511 and 0.335 for 10 or more campaigns.

The researchers said healthcare systems are prone to phishing attacks due to high employee turnover and a continuous inflow of new employees that may have had no prior cybersecurity training. Another factor that makes healthcare organizations vulnerable to phishing attacks is high endpoint complexity.

Based on the high click rates, the researchers determined that phishing is major cybersecurity threat in healthcare. To lower the risk from phishing, three tactics were suggested:

  • Use spam filtering technology to block emails at the gateway
  • Use multi-factor authentication to reduce the value of credentials to cybercriminals
  • Enhance security awareness by means of employee training and conduct frequent phishing simulations

The report, entitled Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions, was published on the JAMA Network Open on March 8, 2019.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: