Hospital employees frequently fell for simulated phishing emails, study finds

Almost one in seven simulated emails received a click, a rate similar to other industries but concerning because of health care's particular vulnerabilities to cyberattacks, the study authors said.


Hospital employees frequently clicked on emails that simulated phishing attacks, a recent study found.

The retrospective study included six U.S. health care institutions that ran phishing simulations in the period from August 1, 2011, through April 10, 2018. The analysis included 95 simulated phishing campaigns with a total of 2,971,945 emails. Results were published by JAMA Network Open on March 8.

Almost one in seven of the simulated emails (422,062 [14.2%]) were clicked on by employees. The median institutional click rates for campaigns ranged from 7.4% (interquartile range [IQR], 5.8% to 9.6%) to 30.7% (IQR, 25.2% to 34.4%). Across all campaigns and institutions, the overall median click rate was 16.7% (IQR, 8.3% to 24.2%). A regression model showed that repeated phishing campaigns were associated with decreased odds of employees clicking on a subsequent email (adjusted odds ratios, 0.511 for six to 10 campaigns [95% CI, 0.382 to 0.685] vs. 0.335 for more than 10 campaigns [95% CI, 0.282 to 0.398]).

The observed rate of employees clicking on the emails is consistent with data in other industries, the study authors said. However, they noted that health care systems are uniquely vulnerable to phishing attacks, due to factors such as high turnover (including many brand-new employees), many devices on their networks, highly interdependent information systems, and difficulty locking down systems. They noted that the studied hospitals had information security programs robust enough to be running phishing simulations, so the results may actually reflect a conservative estimate of phishing click rates in U.S. hospitals.

The decrease in clicks with repeated campaigns suggests that simulated campaigns may reduce this risk, the authors said. Other potential strategies include email filters, multifactor authentication, special access controls for specific systems, and other awareness and training efforts, such as antiphishing laptop decals and posters. “It is necessary for all members of the health care community to understand this risk, particularly as safe and effective health care delivery becomes increasingly dependent on information systems,” the authors wrote.