The Phish in Healthcare: Three Steps to Avoid the Persistent Threat

Organizations are vulnerable due to actions of their end users. No matter the strength of infrastructure and defense technology, human error is a critical risk factor in business continuity and information security. In the healthcare industry, phishing attacks risk loss of personally identifiable information (PII), protected health information (PHI) and large quantities of other sensitive health data, making them a large target for malicious entities. The average cost of a cyber-attack in the healthcare industry is $1.4 million, which has remained consistent over the last few years1.

The 2018 Verizon Data Breach Report showed that healthcare was the only industry with more data breaches caused by internal threats than external threats2. Email is an attractive attack vector for hackers, considering most healthcare employees have direct access to sensitive patient information. According to the report, data compromised from 2018 healthcare breaches consisted of 79 percent medical, 37 percent personal and four percent payment. The value of the medical record has surpassed passwords and credit cards on the dark web. Healthcare institutions must take proactive steps to keep their workforce aware of potential phishing threats. Organizations that fall victim to these attacks are subject to massive data loss, loss of business continuity and damage to reputation.

It is predicted that a spike in the number of smishing, whaling and spear phishing campaigns will continue. Between 2017 and 2018, there was a 76 percent increase in the number of reported phishing attacks and a 53 percent increase in spear phishing attacks3.

Smishing When a user is tricked into downloading a virus or malware onto their mobile device
Whaling Phishing attacks that target high level or C-suite members
Spear Phishing A targeted email cyber-attack to an individual to gain access to their data

Attackers are constantly developing new ways to socially engineer their way through employees to obtain company data. Proofpoint’s 2019 “State of the Phish” data shows that malicious actors are focusing efforts on attacking organizations through the organization’s employees, rather than the technology that stands between the attackers and the desired data. As attackers evolve and improve their tactics, healthcare organizations will need to improve their security posture.

Three areas that could provide the most impact to end-user awareness include:

1. Develop a Culture of Education and Awareness
2. Make It Easy for Employees to Report Phishing
3. Conduct Quarterly Phishing Simulations
1. Develop a Culture of Education and Awareness

A people-centric approach to end-user security is critical to keep company information safe. Organizations rely too heavily on the technological defenses they have in place. Human error is the last line of defense, and system administrators need to treat it as such. A culture of awareness and skepticism should be instilled from the top down of an organization, with emphasis on all levels when dealing with company data. Digital activity should be taken seriously by all personnel, and employees should be trained to look for questionable scenarios during performance of everyday tasks. End-user awareness training should be conducted frequently, especially with new hires. In industries with high employee turnover, management should focus on early education. Information security should be a part of every employee’s daily work tasks, no matter their role or level of responsibility in the organization.

A common misconception is that employee age is a direct correlation with level of awareness of cyber risk. Millennials and younger employees are no less vulnerable to social engineering than their tenured colleagues. Younger employees may be more willing to hand out information when an attacker impersonates their superior. Older, experienced users have been exposed to more attacks than younger employees. A younger generation could be more comfortable with technology; however, this does not mean they have a higher understanding of information security concepts. All employees should be trained to be skeptics and treat corporate data as if it were their own. For this culture to be integrated into day-to-day business, management must decide to be a catalyst for change.

2. Make It Easy for Employees to Report Phishing

An effective but often overlooked way to defend data is to empower employees at all levels to report phishing in a quick and easy manner. Examples include the installation of a one-click button through an email exchange or creating a dedicated phishing email to forward potential threats. When employees have a simple way to report potentially malicious emails, there is a substantially higher chance the emails get reported and a potential data breach is prevented before it even occurs. Generally, employees do not take time out of their day to investigate a risky email or a suspected phish attempt. Develop a way to streamline the reporting process and incorporate a way to reward those who take action to protect company data.

3. Conduct Quarterly Phishing Simulations

Organizations of all sizes and industries should include phishing simulations as a part of their end-user awareness program. Periodic, simulated attacks provide management great summaries of their end-user security posture. Quarterly tests will keep information security a common topic among the workplace and can help further instill skepticism among employees when they send and receive emails and interact with company data. Reward employees who do succeed in phishing simulations. The reward does not have to be financial or compensation based; a simple email, note or general recognition among management and peers goes a long way. Reinforcement of positive actions boosts morale and creates a competitive mindset among employees.

Larger organizations could have a competition by business unit or team led by their management. The teams can be scored by separate measurement of success rates, in order to reward those who perform well and require additional training where needed. This also reinforces accountability by managers to facilitate the culture of awareness. Not only is this an effective way to make simulations competitive, these tests can also create management metrics that quantify the level of risk that each business unit presents to the organization.

There is not a magic combination of procedures, systems or technology solutions that will guarantee end-user security. Managers and IT directors need to strategically decide what works best for their environment. A zero-risk goal may not be realistic, but there are ways to decrease overall risk. Completely locking down and eliminating the risk of human error is not feasible, which is why hackers focus so much energy on this attack vector. These three preventative actions can be taken and applied to a healthcare organization of any size. With new avenues for malicious actors to phish employees and execute more attacks, improving end-user awareness should be a top priority.

About DHG IT Advisory

DHG IT Advisory works with companies to manage technology risk while maintaining data integrity, protecting privacy and complying with regulations. From project management and regulatory compliance assistance to digital forensics and incident response, DHG is equipped to meet your IT advisory needs that drive your business. To learn more about DHG IT Advisory, visit

About DHG Healthcare

DHG Healthcare, the national healthcare practice of DHG, is ranked by Modern Healthcare as the tenth largest, privately-held consulting practice in the nation. Spanning the broader healthcare ecosystem, our clients share the common challenge of successfully navigating the unparalleled amount of federal, state, and marketdriven reform underway in the U.S. Our services in the consulting, assurance and tax domains are purposefully designed to assist our clients in their journey to risk capability. Creating institutional value is a critical focus as our clients define their strategic approach, execute on transformational plans, and manage the financial health and sustainability of their organizations. Learn more about the services and people of DHG Healthcare at


  1. The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum – Radware, 2019.
  2. 2018 Data Breach Investigations Report - Verizon, 2019.
  3. State of The Phish – Proofpoint, 2019.