Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions.

Importance: Cybersecurity is an increasingly important threat to health care delivery, and email phishing is a major attack vector against hospital employees. Objective: To describe the practice of phishing simulation and the extent to which health care employees are vulnerable to phishing simulations. Design, Setting, and Participants: Retrospective, multicenter quality improvement study of a convenience sample of 6 geographically dispersed US health care institutions that ran phishing simulations from August 1, 2011, through April 10, 2018. The specific institutions are anonymized herein for security and privacy concerns. Exposures: Simulated phishing emails received by employees at US health care institutions. Main Outcomes and Measures: Date of phishing campaign, campaign number, number of emails sent, number of emails clicked, and email content. Emails were classified into 3 categories (office related, personal, or information technology related).
Results: The final study sample included 6 anonymized US health care institutions, 95 simulated phishing campaigns, and 2 971 945 emails, 422 062 of which were clicked (14.2%). The median institutional click rates for campaigns ranged from 7.4% (interquartile range [IQR], 5.8%-9.6%) to 30.7% (IQR, 25.2%-34.4%), with an overall median click rate of 16.7% (IQR, 8.3%-24.2%) across all campaigns and institutions. In the regression model, repeated phishing campaigns were associated with decreased odds of clicking on a subsequent phishing email (adjusted OR, 0.511; 95% CI, 0.382-0.685 for 6-10 campaigns; adjusted OR, 0.335; 95% CI, 0.282-0.398 for >10 campaigns). Conclusions and Relevance: Among a sample of US health care institutions that sent phishing simulations, almost 1 in 7 simulated emails sent were clicked on by employees. Increasing campaigns were associated with decreased odds of clicking on a phishing email, suggesting a potential benefit of phishing simulation and awareness. With cyberattacks increasing against US health care systems, these click rates represent a major cybersecurity risk for hospitals.

Introduction

The security of health care data and systems is rapidly emerging as a critical component of hospital infrastructure, and attacks on hospital information systems have had substantial consequences, with closed practices, canceled surgical procedures, diverted ambulances, disrupted operations, and damaged reputations.[1,2,3] Attacks against hospitals have been increasing, with substantial financial cost as well.[4,5] In a recent well-publicized example, a large hospital network was taken offline by a virus for almost 2 weeks, resulting in service disruption, patient confusion, and delays in radiation therapy, among other repercussions.[6] Health care delivery has become increasingly dependent on integrated, complex information systems that are susceptible to disruption. Securing our health information systems is critical to safe and effective care delivery and is now of public health concern.[7]

Phishing is the practice of deceiving individuals into disclosing sensitive personal information or clicking on links that introduce malicious software through deceptive electronic communication.[8] Usually done via email, phishing is a common attack strategy against health care system employees and can be a remarkably accessible, low-cost, and effective way of obtaining real credentials to health care information systems or inducing employees to click on malicious software.[9] Phishing emails can be realistic, and the sender’s identity is frequently spoofed, or deliberately faked, so as to appear to be sent by a trusted individual or organization. Once an attacker has access to a system, they can steal personally identifiable information and sell it for profit, disrupt system availability, encrypt a database and demand a ransom payment to unlock it (“ransomware”), manipulate and falsify clinical data, or perform other malicious activities.[7] A recent report indicated that 55% of physicians have experienced a phishing attack.[10]

Employee awareness and training represent an important component of protection against phishing attacks.[5] One method of generating awareness and providing training is to send simulated phishing emails to a group of employees and subsequently target educational material to those who inappropriately click or enter their credentials. For reference, 2 examples of phishing emails are listed in eTable 1 in the Supplement. The first email is a phishing simulation, and the second is an actual phishing email received at 1 of the participating institutions. As shown, the emails can be realistic and often appear to be sent by a trusted individual or member of the employee’s organization. Phishing simulation is common in many industries and is also being used in health care, typically as a training and improvement initiative. The simulated emails are designed to be as close as possible to real phishing emails; if the simulated email is clicked, it is used as a real-time opportunity to provide short phishing education to the employee. Several vendors exist that offer phishing simulation as a service (eg, composing and sending the simulation emails, collecting employee responses, providing phishing training, and reporting on click rates to hospital leadership). In this context, we examined the practice of phishing simulation and the extent to which health care employees are vulnerable to phishing simulations and identified potential determinants of vulnerability to email phishing simulation.

Methods

Participants

In this retrospective, multicenter quality improvement study, we partnered with a sample of 6 US health care institutions that run phishing simulations using vendor- or custom-developed software tools. These institutions represent a diverse set of organizations across the entire spectrum of care and a range of US geographies, including institutions from the 4 US Census Bureau census regions; all had implemented an information security program. The identities of the specific institutions are anonymized herein for security and privacy concerns. Some participants were health care systems that operated multiple hospitals; in this case, we defined an institution as including multiple hospitals. More information about the institutions is listed in eTable 2 and eTable 3 in the Supplement. The Partners Healthcare Institutional Review Board determined the study to be exempt from review. The requirement of written informed consent was waived for the study. This study adhered to the Standards for Quality Improvement Reporting Excellence (SQUIRE) 2.0 reporting guideline.

Data Collection

Data collected from participating institutions included institution, content of the phishing email, the number of emails delivered, and the number of clicks. Collaborators provided their data per phishing campaign, where a campaign was defined as an email with specific content sent to a group of employees. While individual employee characteristics were not available and responses of the same employee were not linked over time, no employees were excluded from phishing campaigns. All employees across all types of hospital roles (clinical and nonclinical) were eligible to receive the emails. One institution (site 2) ran several campaigns against small, targeted subsets of the population (eg, information security professionals). Because these campaigns were not general employee campaigns, they were excluded to increase generalizability.

Email Classification

Because different phishing emails might be more likely to be clicked based on their content, we classified all emails into 1 of the following 3 categories: office related, personal, or information technology (IT) related. These categories were generated by consensus among 3 of us (W.J.G., A.W., and A.B.L.). Emails were then separately classified by 2 of us (W.J.G. and A.W.), and disagreements were refereed by another of us (A.B.L.). Examples of each email category are listed in Table 1.

Table 1.

Email Category and Click Rates Among 95 Simulated Phishing Campaigns

Email Category	Example Lures	No. (% Total) of Campaigns
Office related	You have received a new fax…	37 (38.9)
	You are expected to review this document on an annual basis…
	Mandatory online workplace safety training…
Personal	Someone sent you a Halloween e-card…	22 (23.2)
	Your new credit card has been shipped…
	We are pleased to announce that you are eligible to receive double rewards…
IT related	Your mailbox has exceeded the storage limit, which is 20 GB as set by your administrator…	36 (37.9)
	We are currently updating our database and email center. All unused accounts will be deleted…
	If you are receiving this message, it means that your email address has been queued for deactivation…

Abbreviation: IT, information technology.

Emails were placed into 1 of 3 categories based on expert review. Shown are example lures from each of the categories, highlighting the type of content that is used to solicit further engagement with the phishing email from employees. Also shown are the number of campaigns from our sample that fell into each category.

Statistical Analysis

Institutions were anonymized (site 1 through site 6). The subsequent data set contained no institution- or person-identifiable information. We performed descriptive statistics on the institutions and phishing campaigns. We aggregated our data by institution and by campaign and calculated the proportion of emails that were clicked by employees, as well as the median click rates for each campaign. Multivariable logistic regression, with the use of a generalized estimating equation approach,[11] was used to compute odds ratios (ORs) with 95% CIs for the odds that a phishing email would be clicked during a campaign. We used a generalized estimating equation approach with independence working correlation to obtain robust variance estimates because campaign click rates within an institution may be correlated. Covariates included year (2011-2018, centered on 0), the number of campaigns the institution had run before the phishing email being sent (institutional campaign number 1-5, 6-10, or >10), an indicator for anonymized institution, email category (office related, personal, or IT related), and season. All analyses were conducted using a software program (R; R Foundation for Statistical Computing).

Results

A convenience sample of 6 US health care institutions provided data for the study. These hospitals ran 101 simulated phishing campaigns and sent 2 975 019 emails from August 1, 2011, through April 10, 2018. After excluding 6 targeted campaigns (3074 emails), our final sample size included 95 campaigns and 2 971 945 emails (Figure 1). We classified the remaining emails into 1 of 3 categories (37 office related, 22 personal, and 36 IT related). Interrater reliability for categorization was high (Cohen κ = 0.746). The median click rates varied by email category, from 12.2% (interquartile range [IQR], 7.2%-20.7%) for office related to 18.6% (IQR, 13.9%-25.6%) for IT related (Table 2).

Figure 1.

Study Design and Data Acquisition

Data collected for each campaign included year of campaign, institutional campaign number, emails sent, emails clicked, and email category.

Table 2.

Unadjusted Click Rates Among 95 Simulated Phishing Campaigns Across All Sites

Variable	No. of Campaigns	Unadjusted Click Rate, Median (IQR), %
Reference	95	16.7 (8.3-24.2)
Year (centered on 0)
2011	12	23.5 (18.7-26.4)
2012	4	22.0 (15.2-30.8)
2013	None	NA
2014	None	NA
2015	18	19.1 (10.1-19.4)
2016	21	18.4 (10.3-25.0)
2017	33	9.9 (4.8-17.2)
2018	7	10.2 (7.3-15.7)
Institutional campaign No.
1-5	28	25.1 (13.8-31.1)
6-10	19	17.9 (10.4-22.2)
>10	48	13.4 (6.3-18.8)
Institution
Site 1 (n = 19)	19	10.2 (5.3-18.3)
Site 2 (n = 33)	33	14.5 (8.0-22.6)
Site 3 (n = 3)	3	7.4 (5.8-9.6)
Site 4 (n = 9)	9	14.5 (8.3-21.0)
Site 5 (n = 26)	26	19.0 (15.6-25.6)
Site 6 (n = 5)	5	30.7 (25.2-34.4)
Email category
Office related	37	12.2 (7.2-20.7)
Personal	22	15.9 (6.8-24.5)
IT related	36	18.6 (13.9-25.6)
Season
Fall	24	18.5 (13.4-22.2)
Winter	30	16.4 (9.7-21.9)
Spring	18	14.0 (8.1-25.5)
Summer	23	11.8 (5.7-28.1)

Abbreviations: IQR, interquartile range; IT, information technology; NA, not applicable.

The overall click rate across all institutions and campaigns was 14.2% (422 062 clicks per 2 971 945 emails). The median institutional click rates for campaigns ranged from 7.4% (IQR, 5.8%-9.6%) for site 3 to 30.7% (IQR, 25.2%-34.4%) for site 6, with an overall median click rate of 16.7% (IQR, 8.3%-24.2%) across all campaigns and institutions (Table 2 and Figure 2).

Figure 2.

Boxplot of Campaign Click Rate Among 95 Simulated Phishing Campaigns, by Site

The click rate distribution is shown by site. Each site is an anonymized institution. Click rate is calculated as a proportion (total emails sent divided by total emails delivered) across each campaign. The whiskers indicate the minimum and maximum values for each institution. The lower and upper borders of the box represent the first and third quartiles, respectively, while the line in the box represents the median.

We found that repeated phishing campaigns were associated with decreased odds of clicking on a subsequent phishing email (adjusted OR, 0.511; 95% CI, 0.382-0.685 for 6-10 campaigns; adjusted OR, 0.335; 95% CI, 0.282-0.398 for >10 campaigns). Year did not have a significant association with click rates (adjusted OR, 0.965; 95% CI, 0.841-01.107). Click rates varied by institution, from an adjusted OR of 0.302 (95% CI, 0.225-0.406) compared with reference to an adjusted OR of 1.463 (95% CI, 1.299-1.648). Emails that were office related were not significantly associated with click rates (adjusted OR, 1.354; 95% CI, 0.865-2.120) compared with IT related (reference), but personal emails were significantly associated with increased click rates (adjusted OR, 1.505; 95% CI, 1.128-2.007) compared with IT related. Finally, certain seasons were associated with click rates. For example, both spring (adjusted OR, 0.842; 95% CI, 0.735-0.964) and summer (adjusted OR, 0.751; 95% CI, 0.624-0.905) campaigns were associated with fewer clicks compared with fall campaigns, while winter was not significantly associated with click rates (adjusted OR, 1.175; 95% CI, 0.972-1.420). Full results are listed in Table 3.

Table 3.

Logistic Regression Model (With the Use of Generalized Estimating Equations) for the Odds of Clicking on 95 Simulated Phishing Campaigns

Variable	Model OR (95% CI)	P Value
Reference	0.279 (0.197-0.396)	<.001
Year (centered on 0)	0.965 (0.841-1.107)	.61
Institutional campaign No.
1-5	1 [Reference]	NA
6-10	0.511 (0.382-0.685)	<.001
>10	0.335 (0.282-0.398)	<.001
Institution
Site 1 (n = 19)	0.788 (0.651-0.954)	.02
Site 2 (n = 33)	1 [Reference]	NA
Site 3 (n = 3)	0.302 (0.225-0.406)	<.001
Site 4 (n = 9)	0.557 (0.474-0.654)	<.001
Site 5 (n = 26)	0.584 (0.393-0.868)	.008
Site 6 (n = 5)	1.463 (1.299-1.648)	<.001
Email category
Office related	1.354 (0.865-2.120)	.19
Personal	1.505 (1.128-2.007)	.005
IT related	1 [Reference]	NA
Season
Fall	1 [Reference]	NA
Winter	1.175 (0.972-1.420)	.10
Spring	0.842 (0.735-0.964)	.01
Summer	0.751 (0.624-0.905)	.003

Abbreviations: IT, information technology; NA, not applicable; OR, odds ratio.

Discussion

In this study of US health care institutions that run phishing simulations, overall click rates varied by institution but were notably high: on average, almost 1 in 7 simulated emails sent were clicked on by employees. In models adjusted for several potential confounders, including year, institutional campaign number, institution, and email category, the odds of clicking on a phishing email were 0.511 lower for 6 to 10 campaigns at an institution and 0.335 lower for more than 10 campaigns at an institution. We also found that there were important institutional differences in click rates, as well as differences in click rates between email category and season.

Our study demonstrates that, similar to other industries,[12] health care institutions conduct phishing simulations to raise awareness and identify employees who may benefit from education and training. We show herein that, under simulation, a large number of employees click on phishing emails, consistent with findings across other industries, where click rates can range from 13% to 49%, depending on industry.[13] We found that the odds of clicking on a phishing email decreased with greater institutional experience, which we hypothesize may be due to the benefit of running phishing simulation campaigns for employee education and awareness. In addition, we note that there is a wide range of click rates between simulated campaigns. We hypothesize that the range of click rates is due to a number of factors, including prior employee exposure to phishing simulations (eg, from previous employment), complexities of individual phishing emails, email timing, and institutional factors (eg, messaging), as well as individual, employee-level factors that we were unable to collect or control for, which will need further study.

Health care systems have been increasingly targeted by cyberattacks, either as part of larger international events (eg, WannaCry or NotPetya)[1,7,14] or as direct targets themselves.[2] Health care delivery organizations are critical infrastructure and are attractive targets for cybercriminals for several reasons, including the value of personal health data (ranging from $10 to $1000 per record in online marketplaces, depending on completeness[15,16]), the criticality of services provided by hospitals,[17] and an overall lack of information security processes.[18] Phishing is an easily deployable attack strategy, largely because email is an easy access point to hospital employees, many of whom have credentials for several internal information systems (eg, electronic health records). In our experience, email addresses are easy to ascertain, either from published resources (journal articles, public websites, and social media) or through guessing (eg, firstname_lastname[at]hospital[dot]org). In addition, emails are frequently opened, regardless of sender. For example, more than one-third of sales and marketing emails are ultimately opened.[19] The open rate may be even higher for emails that are not sales related.

Health care systems are also uniquely vulnerable to phishing attacks. Employee turnover at hospitals is high,[20] and there is a constant influx of new employees (eg, trainees) who may have no prior cybersecurity training, which creates a continuous stream of newly susceptible employees. Hospital systems are vulnerable due to significant end point complexity, a term used to describe the large number of IT devices that could be targeted in an attack. For example, every employee smartphone that is connected to the network is a potential risk, as are other networked devices (eg, patient monitors, clinical workstations, tablets, and all of the core information systems already in use).[21] In addition, hospital information systems are highly interdependent. An electronic health record is dependent on a laboratory information system to display clinical results. The laboratory information system, in turn, is dependent on a network connection to the laboratory analyzer system to process results. Attacking 1 system could significantly influence multiple downstream systems. Finally, locking down information systems is difficult. In a large health care system, there are typically a vast, heterogeneous, and distributed set of users that need access (eg, affiliated practices, state-level information exchanges, and reporting agencies). It only takes 1 successful phishing email, sent to 1 user, to shut down a critical system, potentially disrupting care across an entire organization.

There are many strategies for preventing or minimizing the consequences of phishing attacks. One strategy is to prevent phishing emails from being received or read in the first place (eg, using technology to filter emails based on patterns suspicious for phishing or modifying emails to indicate they are from external senders). A second strategy is to minimize the value of username and passwords, by requiring multifactor authentication (eg, a unique code generated by a smartphone application that must be entered to log in) or requiring special access controls for specific systems, so that credentials are less useful even if they are obtained. A third strategy is to foster employee awareness and training, and our results suggest that including phishing simulation campaigns as part of employee awareness or training may be helpful. There were several institution-level awareness efforts implemented in conjunction with phishing simulation campaigns. Some examples include distribution of antiphishing laptop decals and multilingual antiphishing posters, as well as phishing awareness in annual employee training programs. These are just some of the components of an information security program, and a robust plan needs to include multiple approaches.

Limitations

There are several limitations to our study. First, we used a convenience sample of institutions, all of which have an information security organization mature enough to conduct phishing simulations. While not representative of the entire US health care system, we have no reason to believe that the trends described herein would be different at other institutions. Furthermore, the click rate estimates may be conservative because systems with robust information security programs would likely have lower click rates than other institutions. Second, we did not have access to employee-level data (eg, to look at trends based on department, individual employees, or employee characteristics like age, sex, or role in the organization or to look at correlations between individuals because not all employees received all phishing simulation emails). Third, we did not adjust for additional factors that could influence click rates, such as campaign complexity, timing, and other institutional factors like intercampaign training programs or informal awareness efforts. Fourth, we are also unsure of the sustainability of click rate improvements over time.

Conclusions

In summary, current click rates in phishing simulations at US health care organizations indicate a major cybersecurity risk. These click rates highlight the importance of phishing emails as an attack vector, as well as the challenge of securing information systems. Repeated campaigns were associated with improved click rates, suggesting that simulated phishing campaigns are an important component of a proactive approach to reducing risk. It is necessary for all members of the health care community to understand this risk, particularly as safe and effective health care delivery becomes increasingly dependent on information systems.