Phishing is popular because it works. Researchers, as part of a recent investigation published in JAMA Network Open, spent the past seven years studying the tactic, sending over 2.9 million simulated phishing attacks to employees across six different U.S. hospitals.
The results were stark: Roughly 1 in 7 of the simulated emails sent were clicked on by healthcare employees.
Leslie Corbo, assistant professor of cybersecurity for the School of Business and Justice Studies at Utica College and a co-author of the investigation, explains that there are several reasons that healthcare organizations are particularly vulnerable to this type of attack.
“Think about the way the phishing email itself is composed: A lot of times, attackers use a sense of urgency,” she says, “or the person thinks they are following an order.”
In other words, the high-stakes, high-speed, hierarchical world of medicine can push employees to react to phishing emails without pausing to fully evaluate the content and hyperlinks they contain — which should greatly disturb every leader across the healthcare industry.
Moreover, a recent Email Security Risk Assessment from Mimecast states that email impersonation attacks now account for 1 in every 350 emails in the healthcare, with 1 in 3,741 carrying malware. As these attacks continue to grow and evolve, organizations must find a way to combat them to protect valuable assets, such as patient data, from being compromised.