TY - JOUR T1 - Phishing in healthcare organisations: threats, mitigation and approaches JF - BMJ Health & Care Informatics JO - BMJ Health Care Inform DO - 10.1136/bmjhci-2019-100031 VL - 26 IS - 1 SP - e100031 AU - Ward Priestman AU - Tony Anstis AU - Isabel G Sebire AU - Shankar Sridharan AU - Neil J Sebire Y1 - 2019/09/01 UR - http://informatics.bmj.com/content/26/1/e100031.abstract N2 - Introduction Healthcare data have significant value as a potential target for hackers. Phishing is a method of exploitation for malicious reasons using targeted communications (email/messaging). This study reports on an internal evaluation targeting hospital staff and summarises peer-reviewed literature regarding phishing and healthcare.Methods An assessment was performed as part of cybersecurity activity during a designated test period using multiple credential harvesting approaches through staff email. We also searched the medical-related literature to identify relevant phishing-related publications.Results During the 1-month testing period, the organisation received 858 200 emails: 139 400 (16%) marketing, 18 871 (2%) identified as potential threats. Of 143 million internet transactions, around 5 million (3%) were suspected threats. 468 employee email addresses were identified from public data and targeted through phishing using a range of payloads including attachments and malicious links; however, no credentials were recovered or malicious files downloaded. Several hospital employees were, however, identified on social media profiles, including some tricked into accepting false friend requests.Discussion Healthcare organisations are increasingly moving to digital systems, but healthcare professionals have limited awareness of threats. Increasing emphasis on ‘cyberhygiene’ and information governance through mandatory training increases understanding of these risks. While no credentials were harvested in this study, since up to 5% of emails/internet traffic are suspicious, the need for robust firewalls, cybersecurity infrastructure, IT policies and, most importantly of all, staff training, is emphasised.Conclusion Hospitals receive a significant volume of potentially malicious emails. While many staff appear to be aware of phishing and respond appropriately, ongoing education is required across the spectrum of cybersecurity, with specific emphasis around ‘leakage’ of information on social media. ER -