Hospitals are among the businesses most vulnerable to cyberattacks, and new research helps illustrate just how vulnerable they are.
In a retrospective review of outcomes from phishing simulations at six hospitals located throughout the U.S., involving some 2.9 million phishing emails sent as part of the simulation exercises, staff clicked on 14.2%, reported William J. Gordon, MD, of Brigham and Women’s Hospital in Boston, and colleagues in JAMA Network Open.
But click rates — reflecting individuals opening emails and clicking links within — declined as phishing-awareness campaigns and simulations increased, suggesting that phishing simulations are effective ways of raising awareness and decreasing cyber threats at U.S. hospitals, they wrote.
“Many hospitals have started to implement phishing training programs, and these programs usually include some level of phishing simulation,” Gordon told MedPage Today. “The increase in these programs gave us the opportunity to look at click rates from multiple institutions and examine if they change over time as employees become more educated about phishing.”
Phishing refers to emails that deceive users into clicking links that either introduce malicious software or induce the user to reveal sensitive information such as passwords.
“Phishing emails can be realistic, and the sender’s identity is frequently spoofed, or deliberately faked, so as to appear to be sent by a trusted individual or organization,” Gordon and colleagues wrote, adding that once attackers have access to a system they can steal personal information and sell it, disrupt system availability, encrypt a database and demand a ransom to unlock it (ransomware), or do other damage.
In March 2016, a chain of 10 hospitals in the Washington, D.C. area were targeted as part of a larger cyberattack that lasted more than 34 months. In the case of that chain — MedStar Health — their hospital network remained offline for almost 2 weeks, resulting in service disruptions and delays in patient treatment.
Last November, two Iranian computer hackers were charged in the malware attacks. The focus of the attacks included municipalities like the city of Atlanta and healthcare systems. Six healthcare networks were targeted in the so-called SamSam Ransomware attacks, according to the Department of Justice.
To estimate how often hospital employees are duped by phishing-type emails, Gordon and colleagues performed a retrospective study of outcomes at six institutions that conducting their own internal testing from 2011 to 2018, using simulated phishing emails.
These were sent to hospital personnel and included office-related email lures with the tag lines, “You have received a new fax …” and “Mandatory online workplace safety training …”; personal lures including the email tag lines, “Someone sent you a Halloween e-card …” and “Your new credit card has been shipped …”; and IT-related lures including the tag, “Your mailbox has exceeded the storage limit, which is 20 GB as set by your administrator.”
In all, 95 simulated phishing campaigns were conducted at six hospitals during the period studied, with a total of 2,971,945 emails sent and 422,062 emails (14.2%) clicked on.
Median institutional click rates for campaigns ranged from 7.4% (IQR 5.8%-9.6%) to 30.7% (IQR 25.2%-34.4%), with an overall median click rate of 16.7% (IQR 8.3%-24.2%) across all campaigns and institutions.
Gordon and colleagues also ran regression analysis to determine whether repeated phishing campaigns changed users’ behavior. They appeared to, as odds that users would click through the emails decreased, as the number of campaigns at an institution increased.
The researchers concluded that the large percentage of initial click rates “highlight the importance of phishing emails as an attack vector, as well as the challenge of securing information systems.”
Gordon said phishing simulation campaigns may be an important component of an overall approach to addressing cyber-risk in the healthcare institution setting: “It does appear that these programs can reduce click rates over time,” he said. “We feel they can be an important part of an overall strategy for reducing cyber-risk.”
Funding for the research was provided by the Harvard Catalyst/Harvard Clinical and Translational Science Center and Harvard University.
Gordon reported having no relevant financial disclosures; a co-author reported receiving grants from AstraZeneca, Kowa, Novartis, and Pfizer.