In the healthcare industry, phishing is the initial point of compromise in most significant security incidents, according to a recent report from the Healthcare Information and Management Systems Society (HIMSS). And yet, 18% of healthcare organizations fail to conduct phishing tests, a finding HIMSS describes as “incredible.”
The 2019 HIMSS Cybersecurity Survey contains a wealth of phishing statistics, including click rates on simulated attacks across different industry segments. The report analyzes responses from 166 infosec professionals at hospitals, vendors, non-acute facilities and other organizations.
Healthcare’s No. 1 Threat Vector
In the survey, 74% of respondents said they experienced a significant security incident in 2018—numbers comparable to the previous year’s survey. The most common threat actors were “online scam artists” (28.6%) who used tactics like phishing, spear phishing and business email compromise (BEC).
Phishing appeared in 59% of significant security incidents across all organizations, and 69% of incidents at hospitals. Of these, BEC attacks are of particular concern, according to the report: Criminals “are known to masquerade themselves as a senior leader within the email recipient’s organization (e.g., CEO or CFO) and request sensitive information (e.g., credentials) or even the transfer of funds to an account accessible to the scammer.”
Cyber Criminals Aren’t the Only Major Threat
After online scam artists, the second most common threat came from negligent insiders (20%), with “human error” the initial point of compromise in 25% of incidents. These insider threats can arise in many ways, such as accidentally posting patient information on a public website or inadvertently leaking confidential data. The healthcare industry faces high risk from insider threats, both malicious and unintentional. According to the 2018 Verizon Data Breach Investigations Report, “it is the only industry vertical that has more internal actors behind breaches than external.”
Many end users aren’t prepared to protect against phishing and other cyber attacks, as illustrated in our new infographic, Healthcare’s Cybersecurity Knowledge Gap. For example, data gleaned from our security awareness assessments suggests that many healthcare workers don’t understand how to protect and properly dispose of personally identifiable information (PII). Workers also show below-average knowledge of best practices for protecting mobile devices and information. These knowledge gaps can jeopardize confidential data—and even patient safety.
How Healthcare's Click Rates Compare
It’s not all doom and gloom, however. When healthcare organizations do conduct simulated phishing, the results are encouraging. In the HIMSS survey, 82% of respondents said they conduct phishing tests, of which 58% were able to report their click rate. (The report does not explain why so many did not specify their organizations’ click rates).
Across all respondents, 40% said their organizations have click rates of 10% or lower. Our healthcare customers are part of that population, as we found in our 2019 State of the Phish Report. In our research, the average failure rate for healthcare end users was 8%, and employees in this industry actually outperformed users in many other industries in their ability to recognize and avoid phishing lures.
The Need for Ongoing Security Awareness Training
The HIMSS report describes the number of organizations with click rates of less than 10% as “a significant, positive achievement.” But it also cautions against complacency and points out the need for security awareness training in reducing phishing susceptibility.
“[S]ince phishing is still a significant, initial point of compromise, additional work needs to be done to further lower the click rate,” the report states. “This can be done through more frequent security awareness training, phishing simulation, and better monitoring of metrics pertaining to phishing (including whether there are any particular repeat offenders).”
Robust reporting and metrics are essential for any security awareness training program, and we’ve long championed their use. As the HIMSS report notes, every healthcare organization needs to know their baseline risk from phishing, and “should also be tracking the phishing click rate to gauge whether or not there is an improvement in this regard.”