Following a recent spate of aggressive phishing attacks on NHSmail, Cofense – a cyber-security provider – has shared US client data it has tracked to clarify just how much of a danger future phishing attacks may become in the UK.
Entitled Say Ah: A Closer Look at Phishing in the Healthcare Industry, Cofense’s industry brief compares the resilience of the healthcare sector to phishing attacks with other industries monitored by the software provider.
Resilience is the ratio between users who report a phishing attack versus those who fall susceptible. Over three years, the US healthcare’s resilience rate has improved from 1.05 (2015) to 1.49 (2018). The improvement is not dramatic however and pales significantly against other industries; energy has a resilience of 4.01, while financial services is rated at 2.52 and legal services 2.50.
One factor the report notes as inhibiting the healthcare industry’s resilience ratio is high turnover. Doctors, registered nurses and administrative staff constantly change positions and that can be hard to gain traction in the fight against phishing, explains the report.
The top three most active threats from phishing emails were requests for invoices, emails posing as manager evaluations, and emails reporting package deliveries. All three threats required a sense of urgency and the report warns healthcare providers to be alive to this when advising staff.
In April 2017 one of the biggest NHS trusts, the Leeds Teaching Hospitals NHS Trust, sent out a fake phishing email to see whether any of its 17,000 members of staff would be tricked into disclosing confidential information. The Trust’s audit committee reported 400 employees (around 2.3% of all staff) responded to the phishing email and revealed confidential information like passwords or network credentials.
“The results are staggering and speak for themselves,” explained Rohyt Belani, Cofense’s CEO. “When the U.S. sneezes the world catches a cold, and we hope this data can serve as an early warning sign for NHS Trusts to have appropriate anti-phishing measures in place. At present the healthcare industry is at specific risk, lagging behind other industries, as our findings show. With careful planning however these threats can be mitigated and repulsed very quickly.”