Phishing Simulation Best Practices

Protect your practice against email attacks

Falling for a phishing attack is one of the most common cybersecurity errors employees make, and can have significant impacts on healthcare organizations. Best practices call for a phishing simulation program to monitor and train employees to avoid these attacks


Phishing is the most common type of significant security incident for healthcare organizations, with attacks in 57% of all organizations surveyed.

One of the most common security errors employees make is falling victim to a phishing attack in which they click on or respond to an email that looks legitimate but is actually sent by a hacker. These emails can look like they come from an executive from within the organization, for instance, requesting sensitive information such as account numbers or passwords. In other common cases, the phishing email links to a website where the recipient completes an action that downloads malware or keystroke loggers onto their computer, or where they are convinced enough of its legitimacy that they provide sensitive data such as logins and passwords. Phishing gives hackers access to provider databases and patient personal health information (PHI). In a growing number of cases, ransomware is downloaded and spread across the provider’s network, and organizations are then forced to pay exorbitant ransoms to regain access to vital patient and clinic data and systems. These attacks have a significant impact to healthcare providers and the patients they treat.

 

  • 94% of malware is delivered by email
  • Phishing is a top access point for data breaches at > 20%
  • 25% of U.S. employees admitted struggling to identify a phishing email

 

Since phishing is still a significant, initial point of compromise, additional work needs to be done to further lower the click rate. This can be done through more frequent security awareness training, phishing simulation, and better monitoring of metrics pertaining to phishing (including whether there are any particular repeat offenders).

According to the HIMSS report, healthcare organizations are improving their security awareness, but states that “…since phishing is still a significant, initial point of compromise, additional work needs to be done to further lower the click rate. This can be done through more frequent security awareness training, phishing simulation, and better monitoring of metrics pertaining to phishing (including whether there are any particular repeat offenders).”1 By following security best practices for phishing simulation, monitoring, and training, provider organizations can help employees spot and avoid these attacks.