New study shows just how vulnerable hospitals are to phishing attacks

12 Mar 2019

Image: © JenkoAtaman/

Research led by Brigham and Women’s Hospital in Boston has shown that hospitals are hugely vulnerable to potentially disastrous phishing attacks.

As the world becomes increasingly digitised, more businesses are grappling with how cybersecurity threats could impact them. The threat cybercriminals pose is particularly potent for the healthcare industry; a successful phishing attack could not only compromise patient data, but could wreak havoc on patient care.

Future Human

So, how vulnerable are healthcare organisations to these kinds of attacks? Vulnerable enough to warrant concern, according to a new study released by Brigham and Women’s Hospital in Boston, Massachusetts.

“Information security is increasingly important for healthcare organisations, and cybersecurity attacks are a major risk to a hospital’s ability to operate and deliver care,” explained corresponding author Dr William Gordon of Brigham’s division of general internal medicine and primary care.

The researchers gauged susceptibility to phishing attacks through a multicentre study, which collected data from six healthcare organisations. Each organisation ran phishing scam simulations over the course of seven years to track how often healthcare employees would click through. In total, the team analysed click rates for almost 3m simulated emails that ranged from office- and IT-related to personal correspondence.

The investigation report a high click rate for simulated phishing attacks – more than 14pc of phishing emails were clicked. Click rates ranged from 13pc to 49pc, however, depending on industry. This action would open an organisation up to attack were the email sent by a genuine bad actor.

Yet the team also noted a reduction in click rates after campaigns were mounted raising awareness of phishing threats; after institutions had run 10 or more phishing simulation campaigns, the click-through rates reduced by one-third, suggesting that the issue can be remedied.

“We know that in healthcare, the stakes are high. Patient data, patient care, patient trust and financial stability may be on the line,” Gordon added.

“Understanding susceptibility but also what steps can be taken to mitigate it are critical as cyberattacks continue to rise … Our study suggests that while the risk is high, there is an opportunity to mitigate it through training.”

Eva Short was a journalist at Silicon Republic