Discussion
With improvements in cross-industry organisational cyber security hardware, software and policies, there is increasing use of targeted email communication (phishing) by potentially malicious persons. Healthcare organisations are increasingly moving to electronic patient record (EPR) systems and other digital systems,5 but healthcare professionals may have limited awareness of such threats, since most healthcare staff IT training focuses on ‘functional’ features of the software and applications. Recently, increasing emphasis on ‘cyberhygiene’ and information governance issues through mandatory training has raised the understanding of these risks. For example, the National Cyber Security Centre provides information regarding basic principles of how organisations can protect themselves from cyber threats including advice in areas such as securing internet connections, devices, controlled access, software patching and data access.6 The findings from this small targeted study demonstrated that, on this occasion, no credentials were harvested through any of the phishing approaches but highlights that around 2%–3% of the large volume of emails and internet traffic to an NHS Healthcare Organisation are considered suspicious, emphasising the need for robust firewalls, cyber security infrastructure and IT policies and staff training. Since many phishing emails are links to malicious websites and their files, firewalls act as one layer that may be used to block access to these sites and the files. A recent report found that phishing resulted in more breaches than malware and unpatched systems combined (48% vs 41%),7 especially true of staff who maybe using personal devices for remote working (which may be un patched and therefore more vulnerable to malware through a phishing link), and again robust firewalls and infrastructure may mitigate some of this risk by restricting access to corporate system even if devices are compromised. In addition, it has been reported that there has been recent increasing use of a variant known as CEO Phishing, in which spoof emails are sent impersonating the company CEO, accounting for almost half of phishing scam emails in some reports,8 and it is possible that more ‘click-throughs’ may have occurred if such tactics had also been deployed. Other reports highlight less targeting recently of senior management roles but a large increase in email spoofing of organisations, highlighting the need for controls such as Domain-based Message Authentication, Reporting and Conformance (DMARC).9 10
With the move to widespread comprehensive EPR systems and digital storage of novel information types, such as whole genome screening and drug prescribing information, the potential value of health data is likely to increase and increasing sophisticated methods of gaining access are likely. In general, as encryption and technical aspects of cybersecurity increase, the ‘weak link’ increasingly becomes the human users, with manipulation and social engineering becoming relatively more important.11 Several recent healthcare specific data breaches through phishing have now been reported including Augusta University Health, exposing >400 000 records.12 There are of course many ways that data breaches may occur other than phishing, but according to the most recent Verizon report, around 40% of malware across all organisations is delivered by email, with overall ‘click rates’ of around 3%; phishing now accounting for more than 80% of social hacking.13 With increasing perimeter protection and sophistication of automated systems to detect suspicious communications, in relative terms, the risk for any organisation therefore increasingly becomes its staff, in terms of behaviour and vulnerability to social engineering. In every case where a phishing attack has been successful, there is a human action through social engineering, using psychological manipulation of people into performing actions or divulging confidential information.
Various methods have been previously described to try and identify most vulnerable users of a system, including signal detection theory, evaluation of proportion of risk attributable to the most vulnerable users or evaluation of results from random versus spear phishing. In general, more vulnerable users are less cautious regarding all links and attachments and less able to distinguish phishing from legitimate emails; tests to identify such individuals so they can have targeted behavioural interventions are therefore important, and ‘return on investment’ for such users has greater benefit than blanket deployment of standard approaches.14 However, performing ‘testing’, such as the current study, phishing experiments raises various issues regarding staff consent since, by definition, the process requires deception. However, it is generally accepted that such approaches are ethical providing that risks are minimised, the user’s confidentiality and privacy are protected and the learning provides feedback for the common good.15
To determine whether demographic factors may be related to phishing vulnerability, one study recruited around 200 participants, including approximately equal numbers of younger and older adults, and logistic regression analysis revealed three statistically significant predictors of phishing risk, namely, education level, preexisting awareness of phishing and performance on neuropsychological assessment tests, suggesting that relatively simple educational interventions could be effective in reducing phishing vulnerability.16 Technical tools may improve detection rates, but lack of knowledge of ‘risk clues’ appears of most importance in terms of reducing ‘click-through’ rates. For example, in one study, the presence of cues such as domain highlighting allowed participants to distinguish legitimate versus fraudulent websites better than baseline, but there remained failure to detect many fraudulent web pages, indicating that many users simply lack knowledge of security cues or how to use these to prevent risk behaviours.17 Subjects first need to detect whether an email is suspicious for phishing, and then must deal with the email appropriately. Those with greatest likelihood to treat emails as legitimate tend to underestimate the perceived adverse consequences from their actions despite being confident in their own abilities. Providing users with feedback ongoing information about the consequences of phishing could allow targeting of those with the highest risk profiles,18 and this combination of factors represents the human component of security, which cannot be mitigated by technology alone.19 In our organisation, we send regular communications informing colleagues how to identify malicious emails, in addition to screensavers, and feedback from ‘controlled’ phishing studios such as this, so we educate staff by experience.
While some forms of phishing are highly targeted towards specific C-level individuals (eg, ‘whale phishing’), results of a cybercrime survey including >10 000 people reported that personal background and financial characteristics in general play little role, with only ‘targeted browsing’ leading to increased risk. Use of specific operating systems or browsers does not appear to be associated with greater risk, and antivirus software has no effect, further indicating that board training and behavioural prevention are required.20 It has also been reported that novel antiphishing training in both simple comic and more complex video game forms can reduce phishing susceptibility as measured by rates for all individuals including both students and experienced computing participants.21
Two recent studies have specifically reported on aspects of phishing in healthcare organisations in the USA. In the first study, around 5000 employees were targeted by phishing emails, methodologically similar to the present study in that the primary outcome was click-through rates of potentially malicious links/files without further individual targeting through social media, of whom >3500 (65%) clicked on at least two suspicious emails. Importantly, a mandatory training programme did not have any significant effect, with those previously scammed remaining more likely to click on a phishing email, suggesting that targeted staff training may be required.22 The second paper was a retrospective, multicentre study of six US healthcare institutions that ran phishing simulations from 2011 to 2018 and reported that of around 3 million phishing emails, around 400 000 (14%) were clicked, but in this study, repeated phishing campaigns were associated with reduced odds of clicking on subsequent phishing emails.23
General approaches to reduce risk should therefore include both technical and behavioural tactics. Employees should be actively encouraged to question the authenticity of any email that deviates from their standard work, they should consider carefully the sender and context and if in doubt do not open and seek the advice of the organisational security team. All staff should be educated regarding the potential dangers of malicious email attachments and, specifically, staff should never ‘verify’ any details from an email, click on hyperlinks or open unknown attachments. Users should also be aware of additional methods to confirm that any site linked to is genuine, including various methods of two-factor authentication and use of user-selected images in login pages for legitimate sites. Organisational IT departments should disable functionality that is not required in an employee's daily work, such as Office macros and Windows PowerShell, and run appropriate firewalls with blocked lists of known phishing sites with email spam filters using machine learning approaches.24 In addition, the increasing use of multifactor authentication may mitigate some risks but itself may have disadvantages in healthcare settings with time-sensitive activities and requires further evaluation for optimal deployment in hospitals.25
In addition to random phishing, employees should be aware of the risks of social media activity. For example, despite guidance regarding any use of organisation uniforms in photographs for social media purposes, in the present study, we were able to identify hospital employees, in full uniform with identification badges clearly viable on dating site profile pictures, and four employees were lured into accepting friend requests from a fictitious profile on Facebook, including one who replied with a message, providing a potential opportunity for further personal information gathering and therefore more sophisticated social engineering attacks, including highly targeted ‘spear phishing’. One of the main aims of any phishing attack is often to gain access to a network as an initial step towards a data intrusion. While individuals may be wary of emails containing attachments if they can be accepted to agree to a friend request on a social media site, a subsequent ‘trusted’ relationship can be built, and subsequently, an attachment may be more likely to be opened when sent from the ‘friend’. For example, in a recent ‘spear phishing’ attack against a US healthcare institution more than 2 million emails were breached.26 In addition, if a malicious actor can enter an organisation unchallenged, they may be able to find a credentialled computer providing them immediate access to the network. Such intrusion approaches usually require some form of social engineering, and knowledge of specific staff members names and job titles facilitates plausible responses to questioning. Furthermore, public display of security badge is allows spoofing of the external appearance of the badge, even though it may not be functional, which may then be enough to plausibly convince someone to allow tailgating for access to a restricted area. Therefore, social media awareness remains part of a wider security assessment.
The impact of the 2017 WannaCry ransomware across numerous NHS organisations raised the profile regarding need for improved IT security awareness,27 28 and cybersecurity has now become more prominent across NHS organisations, with requirements for security to be considered at board level and managed as an ongoing board level risk, and coordination of approaches across NHS England and NHS Digital, along with other government cyber security strategies.29 However, ‘phishing’ as a search term finds only four results on the NHS Digital website (increased from one result 1 year ago),30 with advice to ‘beware of phishing scams’. NHS Digital provides a cybersecurity support module regarding overall cybersecurity and resiliency, cyber-resilience exercises based on realistic incidents with a ‘simulated phishing tool’ in association with an NHS-wide national cyber security campaign, a cybersecurity glossary that includes phishing, smishing, spear phishing, whaling, social engineering and cybersecurity advice such as recognition of spelling and grammatical errors, suspicious hyperlinks and care with social media.
The findings of the current study suggest that while many NHS staff appear to be aware of phishing approaches and do not click through potentially malicious links or attachments, ongoing education is required, with specific emphasis required around ‘leakage’ of information on social media sites, which may allow targeted phishing or other social engineering attacks. As of 2016, more than 70 000 patients had been documented as affected by at least 10 phishing attacks on US Healthcare institutions, and this threat will only increase globally with both increasing volume and scope of digitisation of health information and the potential value of such data for generic crimes such as identify theft and specifically for health data, targeted blackmail, payroll and payer fraud or as a route to ransomware attacks.31 These factors should therefore influence information security policies on an ongoing basis, both through reiteration of basic security practices such as password policies and regarding developments such as intelligent networking threat detection systems, DMARC email authentication, policy, and reporting protocol implementation, increasing consideration of staff education and training, and on-site and personal device physical security awareness.