Phishing is a cyberattack strategy used against hospital systems and employees to obtain sensitive information. Simulated phishing emails are an important training and educational strategy to reduce cybersecurity risk. We performed a multi-center study of phishing simulations done at US healthcare institutions from 2011-2018. Median click rates ranged from 7.4% to 30.7% across six institutions. We found that repeated phishing campaigns decreased the odds of clicking on a subsequent phishing email (OR .623 for campaigns 5-10; OR .323 for > 10 campaigns, p-value < .001). These high click-rates represent a major cybersecurity risk for hospitals.

Learning Objective 1: Understand the cybersecurity threat to healthcare systems posed by Phishing

Learning Objective 2: Describe the practice of Phishing simulation as a way to provide education and training to healthcare system employees


William Gordon (Presenter)
Brigham & Women's Hospital

Adam Wright, Brigham & Women's Hospital
Ranjit Aiyagari, University of Michigan Medical School
Leslie Corbo, Utica College
Jigar Kadakia, Partners Healthcare
Jack Kufahl, University of Michigan Medical School
Christina Mazzone, Partners Healthcare
James Noga, Partners Healthcare
Mark Parkulo, Mayo Clinic
Brad Sanford, Emory Healthcare
Paul Scheib, Boston Children's Hospital
Adam Landman, Brigham & Women's Hospital

Presentation Materials: