Sending out digital lures or “phishing” allows hackers to access a recipient’s computer network or introduce malware by clicking on an email link. Healthcare networks have had patient data exposed in phishing attacks; studies have shown that patient information is valued at US$10 – US$1,000 per record on online markets.

But, researchers have determined that phishing campaigns and phishing simulations contribute to employee awareness against attacks and decreases rates of clicking on dangerous emails in subsequent simulations.

Analysed data from six geographically dispersed US healthcare institutions that ran phishing simulations from 2011 through 2018 produced 2,971,945 emails in total, 422,062 (14.2%) of which were clicked by their own employees.

The more simulations ran, the lower the eventual click rate, as noted by study author Dr. William Gordon of Brigham and Women’s Hospital and Harvard Medical School in Boston. Gordon has advised institutions to run more than 10 simulations each, although the lasting effects of such awareness on click rates are not yet known.

The study spotlights the vulnerability of healthcare organisations, said Chris Carmody, senior vice president of enterprise technology and services at the University of Pittsburgh Medical Center (UMPC), where cybersecurity experts have been running phishing simulations for about five years.

Carmody has said that their users have gradually developed resiliency and the ability to identify various phishing attempts in the email environment, and would rather the users report anything suspicious so they can get back to taking care of patients.