A recent study found that healthcare organizations are most susceptible to phishing attempts, with employees clicking one in seven simulated emails sent. The research report, Assessment of Employee Susceptibility to Phishing Attacks at U.S. Healthcare Facilities, reveals current click rates in phishing simulations at U.S. healthcare organizations indicate a major cybersecurity risk. 

Under simulation, a large number of employees clicked on phishing emails, consistent with findings across other industries, where click rates can range from 13 percent to 49 percent. The study found that the odds of clicking on a phishing email decreased with greater institutional experience, which they attributed to the benefit of running phishing simulation campaigns for employee education and awareness. 

According to the study, "Healthcare systems have been increasingly targeted by cyberattacks, either as part of larger international events (eg, WannaCry or NotPetya) or as direct targets themselves. Healthcare delivery organizations are critical infrastructure and are attractive targets for cybercriminals for several reasons, including the value of personal health data (ranging from $10 to $1000 per record in online marketplaces, depending on completeness), the criticality of services provided by hospitals and an overall lack of information security processes." 

The study claims the range of click rate might be due to the following factors:

  • prior employee exposure to phishing simulations (eg, from previous employment)
  • complexities of individual phishing emails
  • email timing
  • institutional factors (eg, messaging)
  • individual and employee-level factors 

The study says, "Phishing is an easily deployable attack strategy, largely because email is an easy access point to hospital employees, many of whom have credentials for several internal information systems (eg, electronic health records). In our experience, email addresses are easy to ascertain, either from published resources (journal articles, public websites and social media) or through guessing. In addition, emails are frequently opened, regardless of sender."