Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions

IMPORTANCE: Cybersecurity is an increasingly important threat to health care delivery, and email phishing is a major attack vector against hospital employees. OBJECTIVE: To describe the practice of phishing simulation and the extent to which health care employees are vulnerable to phishing simulatio...

Descripción completa

Detalles Bibliográficos
Autores principales: Gordon, William J., Wright, Adam, Aiyagari, Ranjit, Corbo, Leslie, Glynn, Robert J., Kadakia, Jigar, Kufahl, Jack, Mazzone, Christina, Noga, James, Parkulo, Mark, Sanford, Brad, Scheib, Paul, Landman, Adam B.
Formato: Online Artículo Texto
Lenguaje:English
Publicado: American Medical Association 2019
Materias:
Original Investigation
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6484661/
https://www.ncbi.nlm.nih.gov/pubmed/30848810
http://dx.doi.org/10.1001/jamanetworkopen.2019.0393
Descripción
Sumario:IMPORTANCE: Cybersecurity is an increasingly important threat to health care delivery, and email phishing is a major attack vector against hospital employees. OBJECTIVE: To describe the practice of phishing simulation and the extent to which health care employees are vulnerable to phishing simulations. DESIGN, SETTING, AND PARTICIPANTS: Retrospective, multicenter quality improvement study of a convenience sample of 6 geographically dispersed US health care institutions that ran phishing simulations from August 1, 2011, through April 10, 2018. The specific institutions are anonymized herein for security and privacy concerns. EXPOSURES: Simulated phishing emails received by employees at US health care institutions. MAIN OUTCOMES AND MEASURES: Date of phishing campaign, campaign number, number of emails sent, number of emails clicked, and email content. Emails were classified into 3 categories (office related, personal, or information technology related). RESULTS: The final study sample included 6 anonymized US health care institutions, 95 simulated phishing campaigns, and 2 971 945 emails, 422 062 of which were clicked (14.2%). The median institutional click rates for campaigns ranged from 7.4% (interquartile range [IQR], 5.8%-9.6%) to 30.7% (IQR, 25.2%-34.4%), with an overall median click rate of 16.7% (IQR, 8.3%-24.2%) across all campaigns and institutions. In the regression model, repeated phishing campaigns were associated with decreased odds of clicking on a subsequent phishing email (adjusted OR, 0.511; 95% CI, 0.382-0.685 for 6-10 campaigns; adjusted OR, 0.335; 95% CI, 0.282-0.398 for >10 campaigns). CONCLUSIONS AND RELEVANCE: Among a sample of US health care institutions that sent phishing simulations, almost 1 in 7 simulated emails sent were clicked on by employees. Increasing campaigns were associated with decreased odds of clicking on a phishing email, suggesting a potential benefit of phishing simulation and awareness. With cyberattacks increasing against US health care systems, these click rates represent a major cybersecurity risk for hospitals.

Ejemplares similares