Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions

William J Gordon; Adam Wright; Ranjit Aiyagari; Leslie Corbo; Robert J Glynn; Jigar Kadakia; Jack Kufahl; Christina Mazzone; James Noga; Mark Parkulo; Brad Sanford; Paul Scheib; Adam B Landman

doi:10.1001/jamanetworkopen.2019.0393

Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions

JAMA Netw Open. 2019 Mar 1;2(3):e190393. doi: 10.1001/jamanetworkopen.2019.0393.

Authors

William J Gordon^{1

2

3

4}, Adam Wright^{2

3

4}, Ranjit Aiyagari⁵, Leslie Corbo⁶, Robert J Glynn⁷, Jigar Kadakia³, Jack Kufahl⁸, Christina Mazzone³, James Noga³, Mark Parkulo⁹, Brad Sanford¹⁰, Paul Scheib¹¹, Adam B Landman^{3

4

12}

Affiliations

¹ Department of Medicine, Massachusetts General Hospital, Boston.
² Division of General Internal Medicine and Primary Care, Brigham and Women's Hospital, Boston, Massachusetts.
³ Partners HealthCare, Boston, Massachusetts.
⁴ Harvard Medical School, Boston, Massachusetts.
⁵ Division of Pediatric Cardiology, Department of Pediatrics & Communicable Diseases, University of Michigan Medical School, Ann Arbor.
⁶ Department of Cybersecurity, Utica College, Utica, New York.
⁷ Division of Preventive Medicine, Brigham and Women's Hospital, Boston, Massachusetts.
⁸ Division of Information Assurance, University of Michigan Medical School, Ann Arbor.
⁹ Center for Translational Informatics and Knowledge Management, Mayo Clinic, Jacksonville, Florida.
¹⁰ Libraries and Information Technology Services: Enterprise Security, Emory University, Atlanta, Georgia.
¹¹ Information Services Division, Boston Children's Hospital, Boston, Massachusetts.
¹² Department of Emergency Medicine, Brigham and Women's Hospital, Boston, Massachusetts.

Abstract

Importance: Cybersecurity is an increasingly important threat to health care delivery, and email phishing is a major attack vector against hospital employees.

Objective: To describe the practice of phishing simulation and the extent to which health care employees are vulnerable to phishing simulations.

Design, setting, and participants: Retrospective, multicenter quality improvement study of a convenience sample of 6 geographically dispersed US health care institutions that ran phishing simulations from August 1, 2011, through April 10, 2018. The specific institutions are anonymized herein for security and privacy concerns.

Exposures: Simulated phishing emails received by employees at US health care institutions.

Main outcomes and measures: Date of phishing campaign, campaign number, number of emails sent, number of emails clicked, and email content. Emails were classified into 3 categories (office related, personal, or information technology related).

Results: The final study sample included 6 anonymized US health care institutions, 95 simulated phishing campaigns, and 2 971 945 emails, 422 062 of which were clicked (14.2%). The median institutional click rates for campaigns ranged from 7.4% (interquartile range [IQR], 5.8%-9.6%) to 30.7% (IQR, 25.2%-34.4%), with an overall median click rate of 16.7% (IQR, 8.3%-24.2%) across all campaigns and institutions. In the regression model, repeated phishing campaigns were associated with decreased odds of clicking on a subsequent phishing email (adjusted OR, 0.511; 95% CI, 0.382-0.685 for 6-10 campaigns; adjusted OR, 0.335; 95% CI, 0.282-0.398 for >10 campaigns).

Conclusions and relevance: Among a sample of US health care institutions that sent phishing simulations, almost 1 in 7 simulated emails sent were clicked on by employees. Increasing campaigns were associated with decreased odds of clicking on a phishing email, suggesting a potential benefit of phishing simulation and awareness. With cyberattacks increasing against US health care systems, these click rates represent a major cybersecurity risk for hospitals.

Publication types

Multicenter Study
Research Support, N.I.H., Extramural
Research Support, Non-U.S. Gov't

MeSH terms

Computer Security* / standards
Computer Security* / statistics & numerical data
Data Collection
Electronic Mail*
Hospital Information Systems / standards*
Hospitals / statistics & numerical data
Humans
Personnel, Hospital / statistics & numerical data*
Quality Improvement
Retrospective Studies
Risk Management* / methods
Risk Management* / statistics & numerical data
United States

Grants and funding

UL1 TR002541/TR/NCATS NIH HHS/United States