Phishing in healthcare organisations: threats, mitigation and approaches

INTRODUCTION: Healthcare data have significant value as a potential target for hackers. Phishing is a method of exploitation for malicious reasons using targeted communications (email/messaging). This study reports on an internal evaluation targeting hospital staff and summarises peer-reviewed liter...

Descripción completa

Detalles Bibliográficos
Autores principales: Priestman, Ward, Anstis, Tony, Sebire, Isabel G, Sridharan, Shankar, Sebire, Neil J
Formato: Online Artículo Texto
Lenguaje:English
Publicado: BMJ Publishing Group 2019
Materias:
Original Research
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7062337/
https://www.ncbi.nlm.nih.gov/pubmed/31488498
http://dx.doi.org/10.1136/bmjhci-2019-100031
_version_ 1783504513898905600
author Priestman, Ward
Anstis, Tony
Sebire, Isabel G
Sridharan, Shankar
Sebire, Neil J
author_facet Priestman, Ward
Anstis, Tony
Sebire, Isabel G
Sridharan, Shankar
Sebire, Neil J
author_sort Priestman, Ward
collection PubMed
description INTRODUCTION: Healthcare data have significant value as a potential target for hackers. Phishing is a method of exploitation for malicious reasons using targeted communications (email/messaging). This study reports on an internal evaluation targeting hospital staff and summarises peer-reviewed literature regarding phishing and healthcare. METHODS: An assessment was performed as part of cybersecurity activity during a designated test period using multiple credential harvesting approaches through staff email. We also searched the medical-related literature to identify relevant phishing-related publications. RESULTS: During the 1-month testing period, the organisation received 858 200 emails: 139 400 (16%) marketing, 18 871 (2%) identified as potential threats. Of 143 million internet transactions, around 5 million (3%) were suspected threats. 468 employee email addresses were identified from public data and targeted through phishing using a range of payloads including attachments and malicious links; however, no credentials were recovered or malicious files downloaded. Several hospital employees were, however, identified on social media profiles, including some tricked into accepting false friend requests. DISCUSSION: Healthcare organisations are increasingly moving to digital systems, but healthcare professionals have limited awareness of threats. Increasing emphasis on ‘cyberhygiene’ and information governance through mandatory training increases understanding of these risks. While no credentials were harvested in this study, since up to 5% of emails/internet traffic are suspicious, the need for robust firewalls, cybersecurity infrastructure, IT policies and, most importantly of all, staff training, is emphasised. CONCLUSION: Hospitals receive a significant volume of potentially malicious emails. While many staff appear to be aware of phishing and respond appropriately, ongoing education is required across the spectrum of cybersecurity, with specific emphasis around ‘leakage’ of information on social media.
format Online
Article
Text
id pubmed-7062337
institution National Center for Biotechnology Information
language English
publishDate 2019
publisher BMJ Publishing Group
record_format MEDLINE/PubMed
spelling pubmed-70623372020-09-30 Phishing in healthcare organisations: threats, mitigation and approaches Priestman, Ward Anstis, Tony Sebire, Isabel G Sridharan, Shankar Sebire, Neil J BMJ Health Care Inform Original Research INTRODUCTION: Healthcare data have significant value as a potential target for hackers. Phishing is a method of exploitation for malicious reasons using targeted communications (email/messaging). This study reports on an internal evaluation targeting hospital staff and summarises peer-reviewed literature regarding phishing and healthcare. METHODS: An assessment was performed as part of cybersecurity activity during a designated test period using multiple credential harvesting approaches through staff email. We also searched the medical-related literature to identify relevant phishing-related publications. RESULTS: During the 1-month testing period, the organisation received 858 200 emails: 139 400 (16%) marketing, 18 871 (2%) identified as potential threats. Of 143 million internet transactions, around 5 million (3%) were suspected threats. 468 employee email addresses were identified from public data and targeted through phishing using a range of payloads including attachments and malicious links; however, no credentials were recovered or malicious files downloaded. Several hospital employees were, however, identified on social media profiles, including some tricked into accepting false friend requests. DISCUSSION: Healthcare organisations are increasingly moving to digital systems, but healthcare professionals have limited awareness of threats. Increasing emphasis on ‘cyberhygiene’ and information governance through mandatory training increases understanding of these risks. While no credentials were harvested in this study, since up to 5% of emails/internet traffic are suspicious, the need for robust firewalls, cybersecurity infrastructure, IT policies and, most importantly of all, staff training, is emphasised. CONCLUSION: Hospitals receive a significant volume of potentially malicious emails. While many staff appear to be aware of phishing and respond appropriately, ongoing education is required across the spectrum of cybersecurity, with specific emphasis around ‘leakage’ of information on social media. BMJ Publishing Group 2019-09-04 /pmc/articles/PMC7062337/ /pubmed/31488498 http://dx.doi.org/10.1136/bmjhci-2019-100031 Text en © Author(s) (or their employer(s)) 2019. Re-use permitted under CC BY-NC. No commercial re-use. See rights and permissions. Published by BMJ. This is an open access article distributed in accordance with the Creative Commons Attribution Non Commercial (CC BY-NC 4.0) license, which permits others to distribute, remix, adapt, build upon this work non-commercially, and license their derivative works on different terms, provided the original work is properly cited, appropriate credit is given, any changes made indicated, and the use is non-commercial. See: http://creativecommons.org/licenses/by-nc/4.0/.
spellingShingle Original Research
Priestman, Ward
Anstis, Tony
Sebire, Isabel G
Sridharan, Shankar
Sebire, Neil J
Phishing in healthcare organisations: threats, mitigation and approaches
title Phishing in healthcare organisations: threats, mitigation and approaches
title_full Phishing in healthcare organisations: threats, mitigation and approaches
title_fullStr Phishing in healthcare organisations: threats, mitigation and approaches
title_full_unstemmed Phishing in healthcare organisations: threats, mitigation and approaches
title_short Phishing in healthcare organisations: threats, mitigation and approaches
title_sort phishing in healthcare organisations: threats, mitigation and approaches
topic Original Research
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7062337/
https://www.ncbi.nlm.nih.gov/pubmed/31488498
http://dx.doi.org/10.1136/bmjhci-2019-100031
work_keys_str_mv AT priestmanward phishinginhealthcareorganisationsthreatsmitigationandapproaches
AT anstistony phishinginhealthcareorganisationsthreatsmitigationandapproaches
AT sebireisabelg phishinginhealthcareorganisationsthreatsmitigationandapproaches
AT sridharanshankar phishinginhealthcareorganisationsthreatsmitigationandapproaches
AT sebireneilj phishinginhealthcareorganisationsthreatsmitigationandapproaches

Ejemplares similares