(Reuters Health) - Many healthcare organizations remain vulnerable to phishing attacks, a new study finds.

When researchers sent simulated phishing emails, nearly one in seven of the messages were clicked by employees of healthcare systems, according to the report published in JAMA Network Open.

“Cybersecurity is a really important issue for hospitals and healthcare organizations and it’s only getting more important,” said lead study author Dr. William Gordon, of Brigham and Women’s Hospital and Harvard Medical School in Boston. “One of the biggest risks for them is their own employees and it’s manifested through phishing attacks.”

The new study shows the importance of employee awareness of the dangers hidden in phishing emails, Gordon said. The good news, he added, is that “things get better over time with awareness, education and training.”

Phishing is the term for sending out digital lures - usually an email telling the recipient to click on a link - that allow hackers to access the recipient’s computer network or introduce malware. In recent years, healthcare networks have had patient data exposed as a result of phishing attacks, and one large hospital network was crippled for two weeks by a computer virus, the study team notes.

To get an idea of how vulnerable healthcare organizations are to phishing, Gordon and his colleagues analyzed data from six geographically dispersed U.S. healthcare institutions that ran phishing simulations from August 1, 2011 through April 10, 2018.

In all, the institutions ran 95 simulated phishing campaigns, which produced 2,971,945 emails, 422,062 (14.2 percent) of which were clicked. The median click rates at individual institutions ranged from 7.4 percent to 30.7 percent, with an overall median click rate of 16.7 percent across all institutions and all campaigns.

When researchers analyzed the data over time, they determined that phishing campaigns contributed to employee awareness and thus to lower rates of clicking in subsequent phishing simulations.

The more simulations an institution ran, the lower the eventual click rate, Gordon said. Running five to 10 simulations “was better than one to five, and greater than 10 was even better than five to 10,” he added. “The odds of clicking went down by a third when the hospital or healthcare institution ran more than 10.”

What’s not known, Gordon said, is how lasting that effect is: “If an institution stops doing simulations, do the click rates stay low?”

What’s in it for phishers? Probably the most important benefit is getting access to patients’ identifying information. Other studies have shown that in online marketplaces, patient information is valued at $10 to $1,000 per record, Gordon said.

The new study spotlights the vulnerability of healthcare organizations, said Chris Carmody, senior vice president of enterprise technology and services at the University of Pittsburgh Medical Center and president of ClinicalConnect Health Information Exchange.

“This is definitely a problem in all industries where people rely on e-communications, especially email,” Carmody said. “And healthcare is no different. We see clinical users whose primary focus is on patient care and we’re trying to do our best to help them develop the knowhow to know what to look for so they can identify phishing attempts and report them to us.”

At UMPC, cybersecurity experts have been running phishing simulations for about five years, Carmody said. “But you can’t just rely on phishing simulations. That’s just one of many tools.”

Over time, “our users have developed resiliency and the ability to identify (phishing attempts),” Carmody said. “And we’ve looked at how fast they report it. Part of our tool is integrated into the email environment. We have a button for them to click if they suspect an email is a phishing attempt.”

Carmody estimates that his group gets about 7,500 suspect emails forwarded to them each month. “Only about 12.5 percent are actually malicious,” he said. “That’s OK. We’d rather err on the side of precaution and have them report anything that looks suspicious to us so they can get back to taking care of patients.”

SOURCE: bit.ly/2UsJcTg JAMA Network Open, online March 8, 2019.