Security Awareness and Training Crucial to Preventing Healthcare Phishing Attacks

July 14, 2022 - Healthcare phishing attacks are still a top cyberattack vector, but new research shows that consistent security awareness and training can greatly reduce the likelihood of a successful attack.

KnowBe4 analyzed a dataset of over 9.5 million users across 19 sectors, more than 30,000 organizations, and 23.4 million simulated phishing security tests to illustrate the impact that security training can have on reducing cyber risk.

“Security leaders who continue to invest solely in sophisticated technology and security orchestration run the risk of overlooking a best practice proven to reduce their vulnerability: security awareness training coupled with frequent simulated social engineering testing,” the report stated.

“This approach not only helps raise the readiness level of humans to combat cyber crime, it lays the critical foundation necessary to drive a strong security culture throughout an organization.”

KnowBe4 established a baseline “phish-prone percentage” (PPP), which measured the percentage of employees that had clicked on a simulated phishing email with no prior security training. Researchers then revisited the PPP after 90 days and again after one year of security training to see how the results had changed.

Across all industries and organization sizes, the 2022 PPP baseline average was 32.4 percent. For small organizations (0 to 249 employees), healthcare and pharmaceuticals had the second highest average PPP, at 32.5 percent.

As the organization size grew, the PPP continued to climb for healthcare. Medium-sized healthcare organizations (250-999 employees) had a baseline PPP of 36.6 percent and large organizations (1,000+ employees) had a PPP of 45 percent.

“The Phish-prone Percentage data, although slightly more favorable than 2021, continues to show that no single industry across all-sized organizations is doing a good job at recognizing the cybercriminals’ phishing and social engineering tactics,” the report continued.

“When users have not been tested or trained, the initial baseline phishing security tests show how likely users in these industries are to fall victim to a phishing scam and put their organizations at risk for potential compromise.”

In the second phase of research, KnowBe4 analyzed industry PPPs after 90 days of simulated phishing security tests. The healthcare sector’s performance greatly improved, and the average PPP dropped to 17.6 percent across all industries.

Small healthcare organizations averaged a PPP of 19.7 percent, compared to 19.1 percent for mid-sized organizations and 17.2 percent for large organizations.

“As with any significant change, it takes time to break old habits and create new ones. Once these new habits are formed however, they become the new normal, part of the organizational culture, and influence how others behave, especially new hires who look to others to see what is socially and culturally acceptable in the organization,” the report noted.

After one year of security awareness and phishing training, rates continued to drop. Small healthcare and pharmaceutical organizations had an average PPP of 4.1 percent, compared to 6.1 percent for mid-sized organizations and 5.9 percent for large organizations.  

The results showed a clear correlation between increased security awareness and training and lowered cyber risk.

Organizations can prevent social engineering and phishing attacks first by identifying common phishing scams and tactics. Attackers often open with generic greetings and ask recipients to download attachments or click links. Sometimes, they disguise themselves as reputable contacts or real businesses.

Accounting for the human element of cybersecurity is crucial, and the HIPAA Privacy Rule even requires covered entities to implement some form of security awareness and training throughout their workforce.

Technical safeguards and a culture of cybersecurity can help organizations defend against phishing and other types of social engineering.

"Given that most data breaches originate from social engineering, we cannot afford to omit the human element,” Stu Sjouwerman, KnowBe4’s CEO, explained in an accompanying press release.

“Implementing security awareness training with simulated phishing testing will help to better protect organizations against cyber attacks and result in a more secure organizational culture."