Reading Time: 2 minutes

A study found that employees of US healthcare institutions click on approximately 1 in 7 simulated phishing emails, suggesting a need for increasing educational campaigns on phishing attacks in healthcare. Findings from the study were published in JAMA Network Open.

Researchers retrospectively reviewed data from a total of 6 healthcare institutions across the United States that ran email phishing simulations from August 1, 2011 to April 10, 2018. Institution employees were recruited to receive these simulated phishing emails during the program. Emails were classified as office-related (n=37), personal (n=22), or information technology-related (n=36). The investigators collected data on the date of the phishing campaign, campaign number, number of emails sent and clicked, and email content. During the campaign, a total of 2,975,019 emails were sent.

Healthcare institution employees subsequently clicked on approximately 14% (n=422,062) of simulated phishing emails. The overall median click rate was 16.7% (interquartile range [IQR], 8.3%-24.2%), and the median click rates across institutions ranged from 7.4% (IQR, 5.8%-9.6%) to 30.7% (IQR, 25.2%-34.4%). The regression analysis found an association between repeated phishing campaigns and a reduced odds of clicking on simulated phishing email (6 to 10 emails: adjusted odds ratio [aOR] 0.511; 95% CI, 0.382-0.685; >10 emails: aOR 0.335; 95% CI, 0.282-0.398).

Study limitations included the convenience sampling and lack of employee-level data to evaluate associations between specific departments/roles and click-through rates.

“Repeated campaigns were associated with improved click rates, suggesting that simulated phishing campaigns are an important component of a proactive approach to reducing risk,” the researchers concluded. “It is necessary for all members of the health care community to understand this risk, particularly as safe and effective health care delivery becomes increasingly dependent on information systems.”


Gordon WJ, Wright A, Aiyagari R, et al. Assessment of employee susceptibility to phishing attacks at US health care institutions. JAMA Netw Open. 2019;2(3):e190393.