Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions

Gordon, William J.; Wright, Adam; Aiyagari, Ranjit; Corbo, Leslie; Glynn, Robert J.; Kadakia, Jigar; Kufahl, Jack; Mazzone, Christina; Noga, James; Parkulo, Mark A.; Sanford, Brad; Scheib, Paul; Landman, Adam B.

doi:10.1001/jamanetworkopen.2019.0393

Cited by 47 publications

(59 citation statements)

References 9 publications

(21 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Importantly, a mandatory training programme did not have any significant effect, with those previously scammed remaining more likely to click on a phishing email, suggesting that targeted staff training may be required 22. The second paper was a retrospective, multicentre study of six US healthcare institutions that ran phishing simulations from 2011 to 2018 and reported that of around 3 million phishing emails, around 400 000 (14%) were clicked, but in this study, repeated phishing campaigns were associated with reduced odds of clicking on subsequent phishing emails 23…”

Section: Discussionmentioning

confidence: 69%

Phishing in healthcare organisations: threats, mitigation and approaches

Priestman

Anstis

Sebire

et al. 2019

BMJ Health Care Inform

View full text Add to dashboard Cite

IntroductionHealthcare data have significant value as a potential target for hackers. Phishing is a method of exploitation for malicious reasons using targeted communications (email/messaging). This study reports on an internal evaluation targeting hospital staff and summarises peer-reviewed literature regarding phishing and healthcare.MethodsAn assessment was performed as part of cybersecurity activity during a designated test period using multiple credential harvesting approaches through staff email. We also searched the medical-related literature to identify relevant phishing-related publications.ResultsDuring the 1-month testing period, the organisation received 858 200 emails: 139 400 (16%) marketing, 18 871 (2%) identified as potential threats. Of 143 million internet transactions, around 5 million (3%) were suspected threats. 468 employee email addresses were identified from public data and targeted through phishing using a range of payloads including attachments and malicious links; however, no credentials were recovered or malicious files downloaded. Several hospital employees were, however, identified on social media profiles, including some tricked into accepting false friend requests.DiscussionHealthcare organisations are increasingly moving to digital systems, but healthcare professionals have limited awareness of threats. Increasing emphasis on ‘cyberhygiene’ and information governance through mandatory training increases understanding of these risks. While no credentials were harvested in this study, since up to 5% of emails/internet traffic are suspicious, the need for robust firewalls, cybersecurity infrastructure, IT policies and, most importantly of all, staff training, is emphasised.ConclusionHospitals receive a significant volume of potentially malicious emails. While many staff appear to be aware of phishing and respond appropriately, ongoing education is required across the spectrum of cybersecurity, with specific emphasis around ‘leakage’ of information on social media.

show abstract

Section: Discussionmentioning

confidence: 69%

Phishing in healthcare organisations: threats, mitigation and approaches

Priestman

Anstis

Sebire

et al. 2019

BMJ Health Care Inform

View full text Add to dashboard Cite

show abstract

“…Due to COVID-19 restrictions, the selection meeting of the IMIA Yearbook Editorial Committee was held as a videoconference on Apr 17, 2020. In this meeting, three papers [6][7][8] were finally selected as best papers for the CIS section (Table 2). A content summary of these three CIS best papers can be found in the appendix of this synopsis.…”

Section: About the Paper Selectionmentioning

confidence: 99%

“…The last of the best papers comes from William J. Gordon and colleagues [7], who investigated health care employees' susceptibility to phishing attacks. This study can be assigned to both clusters, and should all of us remember that cybersecurity is increasingly critical and should be tackled accordingly.…”

Section: Findings and Trends In 2019mentioning

confidence: 99%

Trends in Clinical Information Systems Research in 2019

Hackl

Hoerbst

2020

Yearb Med Inform

View full text Add to dashboard Cite

Objective: To give an overview of recent research and to propose a selection of best papers published in 2019 in the field of Clinical Information Systems (CIS). Method: Each year, we apply a systematic process to retrieve articles for the CIS section of the IMIA Yearbook of Medical Informatics. For six years now, we use the same query to find relevant publications in the CIS field. Each year we retrieve more than 2,000 papers. As CIS section editors, we categorize the retrieved articles in a multi-pass review to distill a pre-selection of 15 candidate best papers. Then, Yearbook editors and external reviewers assess the selected candidate best papers. Based on the review results, the IMIA Yearbook Editorial Committee chooses the best papers during the selection meeting. We used text mining, and term co-occurrence mapping techniques to get an overview of the content of the retrieved articles. Results: We carried out the query in mid-January 2020 and retrieved a de-duplicated result set of 2,407 articles from 1,023 different journals. This year, we nominated 14 papers as candidate best papers, and three of them were finally selected as best papers in the CIS section. As in previous years, the content analysis of the articles revealed the broad spectrum of topics covered by CIS research. Conclusions: We could observe ongoing trends, as seen in the last years. Patient benefit research is in the focus of many research activities, and trans-institutional aggregation of data remains a relevant field of work. Powerful machine-learning-based approaches, that use readily available data now often outperform human-based procedures. However, the ethical perspective of this development often comes too short in the considerations. We thus assume that ethical aspects will and should deliver much food for thought for future CIS research.

show abstract

“…Health care organizations are especially vulnerable to information security threats, as data breaches can have direct and severe consequences on patients' lives [2][3][4]. Attacks against hospitals have been increasing in both number and level of sophistication [5].…”

Section: Introductionmentioning

confidence: 99%

“…Phishing poses a major cybersecurity risk for 2 reasons: (1) employees usually have detailed knowledge about IS within the organization and access the data frequently during their work and (2) even 1 innocent click could expose the organization to a network of hackers nearly impossible to trace [9][10][11][12]. A recent study analyzed phishing campaigns in health care organizations and found that, on average, as much as 14.2% of these phishing emails were clicked on by employees [5]. Organizations have taken steps to address this problem by providing training programs to educate and increase cybersecurity awareness, but these efforts remain insufficient.…”

Section: Introductionmentioning

confidence: 99%

Why Employees (Still) Click on Phishing Links: An Investigation in Hospitals

et al. 2019

View full text Add to dashboard Cite

Background: Hospitals have been one of the major targets for phishing attacks. Despite efforts to improve information security compliance, hospitals still significantly suffer from such attacks, impacting the quality of care and the safety of patients. Objective: This study aimed to investigate why hospital employees decide to click on phishing emails by analyzing actual clicking data. Methods: We first gauged the factors that influence clicking behavior using the theory of planned behavior (TPB) and integrating trust theories. We then conducted a survey in hospitals and used structural equation modeling to investigate the components of compliance intention. We matched employees' survey results with their actual clicking data from phishing campaigns. Results: Our analysis (N=397) reveals that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, are positively related to compliance intention. However, compliance intention is not significantly related to compliance behavior. Only the level of employees' workload is positively associated with the likelihood of employees clicking on a phishing link. Conclusions: This is one of the few studies in information security and decision making that observed compliance behavior by analyzing clicking data rather than using self-reported data. We show that, in the context of phishing emails, intention and compliance might not be as strongly linked as previously assumed; hence, hospitals must remain vigilant with vulnerabilities that cannot be easily managed. Importantly, given the significant association between workload and noncompliance behavior (ie, clicking on phishing links), hospitals should better manage employees' workload to increase information security. Our findings can help health care organizations augment employees' compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.

show abstract

Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions

Cited by 47 publications

References 9 publications

Phishing in healthcare organisations: threats, mitigation and approaches

Phishing in healthcare organisations: threats, mitigation and approaches

Trends in Clinical Information Systems Research in 2019

Why Employees (Still) Click on Phishing Links: An Investigation in Hospitals

Contact Info

Product

Resources

About