More on Risk Management

Hospital employees are clicking on phishing emails, and that's a problem, JAMA study shows

More than 2.9 million simulated emails were sent to employees at six hospitals, and nearly one in seven were clicked on, the study said.

Beth Jones Sanborn, Managing Editor

If hospitals leaders are looking for ways to boost cybersecurity in their organization, start with employees and the perils of phishing emails. According to a recent study in JAMA, hospital employees are highly susceptible to such campaigns that put organizations at risk of a breach.

More than 2.9 million simulated emails were sent to employees at six hospitals, and nearly one in seven were clicked on. However, repeated phishing campaigns were associated with decreased odds of clicking on a subsequent phishing email, the study said.


It's clear that phishing emails present a major cybersecurity risk to hospitals and the study results certainly make that case. Healthcare providers should provide compelling training to employees regarding the identification of phishing and should repeat training at least on an annual basis to refresh the issue in the minds of staff.


Cybersecurity is an increasingly important threat to healthcare delivery, and email phishing is a major attack vector against hospital employees.

The final study sample included six U.S. healthcare institutions, 95 simulated phishing campaigns, and 2,971,945 emails. Of those emails, 422 062 were clicked. That's just over 14 percent. The median institutional click rates for campaigns ranged from 7.4 percent to 30.7 percent

That means employees clicked on almost one in seven simulated emails. However, increasing campaigns were linked to decreased odds of clicking on a phishing email, which could suggest a benefit to repeated phishing campaign simulations as a means of training and deterrence.


"The security of healthcare data and systems is rapidly emerging as a critical component of hospital infrastructure, and attacks on hospital information systems have had substantial consequences, with closed practices, canceled surgical procedures, diverted ambulances, disrupted operations, and damaged reputations. Attacks against hospitals have been increasing, with substantial financial cost as well… Healthcare delivery has become increasingly dependent on integrated, complex information systems that are susceptible to disruption. Securing our health information systems is critical to safe and effective care delivery and is now of public health concern," the study said.

Twitter: @BethJSanborn
Email the writer: