Department of Medicine, Massachusetts General Hospital, Boston.
Division of General Internal Medicine and Primary Care, Brigham and Women's Hospital, Boston, Massachusetts.
JAMA Netw Open. 2019 Mar 1;2(3):e190393. doi: 10.1001/jamanetworkopen.2019.0393.
Cybersecurity is an increasingly important threat to health care delivery, and email phishing is a major attack vector against hospital employees.
To describe the practice of phishing simulation and the extent to which health care employees are vulnerable to phishing simulations.
DESIGN, SETTING, AND PARTICIPANTS: Retrospective, multicenter quality improvement study of a convenience sample of 6 geographically dispersed US health care institutions that ran phishing simulations from August 1, 2011, through April 10, 2018. The specific institutions are anonymized herein for security and privacy concerns.
Simulated phishing emails received by employees at US health care institutions.
Date of phishing campaign, campaign number, number of emails sent, number of emails clicked, and email content. Emails were classified into 3 categories (office related, personal, or information technology related).
The final study sample included 6 anonymized US health care institutions, 95 simulated phishing campaigns, and 2 971 945 emails, 422 062 of which were clicked (14.2%). The median institutional click rates for campaigns ranged from 7.4% (interquartile range [IQR], 5.8%-9.6%) to 30.7% (IQR, 25.2%-34.4%), with an overall median click rate of 16.7% (IQR, 8.3%-24.2%) across all campaigns and institutions. In the regression model, repeated phishing campaigns were associated with decreased odds of clicking on a subsequent phishing email (adjusted OR, 0.511; 95% CI, 0.382-0.685 for 6-10 campaigns; adjusted OR, 0.335; 95% CI, 0.282-0.398 for >10 campaigns).
Among a sample of US health care institutions that sent phishing simulations, almost 1 in 7 simulated emails sent were clicked on by employees. Increasing campaigns were associated with decreased odds of clicking on a phishing email, suggesting a potential benefit of phishing simulation and awareness. With cyberattacks increasing against US health care systems, these click rates represent a major cybersecurity risk for hospitals.
网络安全对医疗服务的提供构成了日益严重的威胁,而电子邮件网络钓鱼是针对医院员工的主要攻击媒介。
描述网络钓鱼模拟的实践以及医疗保健员工易受网络钓鱼模拟攻击的程度。
设计、地点和参与者:这是一项回顾性、多中心质量改进研究,对 2011 年 8 月 1 日至 2018 年 4 月 10 日期间在 6 个地理位置分散的美国医疗机构进行的网络钓鱼模拟进行了便利样本研究。出于安全和隐私考虑,具体机构在此匿名。
医疗机构员工收到的模拟网络钓鱼电子邮件。
网络钓鱼活动日期、活动次数、发送电子邮件数量、点击电子邮件数量和电子邮件内容。电子邮件被分为 3 类(与办公室相关、与个人相关或与信息技术相关)。
最终的研究样本包括 6 个匿名的美国医疗机构、95 次模拟网络钓鱼活动和 2971945 封电子邮件,其中 422062 封被点击(14.2%)。各机构网络钓鱼活动的点击率中位数范围为 7.4%(四分位距[IQR],5.8%-9.6%)至 30.7%(IQR,25.2%-34.4%),所有活动和机构的总点击率中位数为 16.7%(IQR,8.3%-24.2%)。在回归模型中,重复的网络钓鱼活动与点击后续网络钓鱼电子邮件的可能性降低相关(调整后的比值比,0.511;95%置信区间,6-10 次活动为 0.382-0.685;>10 次活动为 0.335;95%置信区间,0.282-0.398)。
在发送网络钓鱼模拟的美国医疗机构样本中,几乎每 7 封发送的模拟电子邮件中就有 1 封被员工点击。活动次数的增加与点击网络钓鱼电子邮件的可能性降低有关,这表明网络钓鱼模拟和意识可能会带来好处。随着针对美国医疗保健系统的网络攻击不断增加,这些点击率对医院来说是一个重大的网络安全风险。
