Unknown

Dataset Information

0

Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions.


ABSTRACT:

Importance

Cybersecurity is an increasingly important threat to health care delivery, and email phishing is a major attack vector against hospital employees.

Objective

To describe the practice of phishing simulation and the extent to which health care employees are vulnerable to phishing simulations.

Design, setting, and participants

Retrospective, multicenter quality improvement study of a convenience sample of 6 geographically dispersed US health care institutions that ran phishing simulations from August 1, 2011, through April 10, 2018. The specific institutions are anonymized herein for security and privacy concerns.

Exposures

Simulated phishing emails received by employees at US health care institutions.

Main outcomes and measures

Date of phishing campaign, campaign number, number of emails sent, number of emails clicked, and email content. Emails were classified into 3 categories (office related, personal, or information technology related).

Results

The final study sample included 6 anonymized US health care institutions, 95 simulated phishing campaigns, and 2?971?945 emails, 422?062 of which were clicked (14.2%). The median institutional click rates for campaigns ranged from 7.4% (interquartile range [IQR], 5.8%-9.6%) to 30.7% (IQR, 25.2%-34.4%), with an overall median click rate of 16.7% (IQR, 8.3%-24.2%) across all campaigns and institutions. In the regression model, repeated phishing campaigns were associated with decreased odds of clicking on a subsequent phishing email (adjusted OR, 0.511; 95% CI, 0.382-0.685 for 6-10 campaigns; adjusted OR, 0.335; 95% CI, 0.282-0.398 for >10 campaigns).

Conclusions and relevance

Among a sample of US health care institutions that sent phishing simulations, almost 1 in 7 simulated emails sent were clicked on by employees. Increasing campaigns were associated with decreased odds of clicking on a phishing email, suggesting a potential benefit of phishing simulation and awareness. With cyberattacks increasing against US health care systems, these click rates represent a major cybersecurity risk for hospitals.

SUBMITTER: Gordon WJ 

PROVIDER: S-EPMC6484661 | biostudies-literature | 2019 Mar

REPOSITORIES: biostudies-literature

altmetric image

Publications


<h4>Importance</h4>Cybersecurity is an increasingly important threat to health care delivery, and email phishing is a major attack vector against hospital employees.<h4>Objective</h4>To describe the practice of phishing simulation and the extent to which health care employees are vulnerable to phishing simulations.<h4>Design, setting, and participants</h4>Retrospective, multicenter quality improvement study of a convenience sample of 6 geographically dispersed US health care institutions that ra  ...[more]

Similar Datasets

| S-EPMC7235804 | biostudies-literature
| S-EPMC5826381 | biostudies-literature
| S-EPMC6021067 | biostudies-literature
| S-EPMC4232629 | biostudies-literature
| S-EPMC10930508 | biostudies-literature
| S-EPMC6180516 | biostudies-literature
| S-EPMC7252086 | biostudies-literature
| S-EPMC8040664 | biostudies-literature
| S-EPMC6280446 | biostudies-other
| S-EPMC9180678 | biostudies-literature