News

Healthcare Workers Among Most Gullible to Phishing: Report

• By Gladys Rama
• 09/29/2023

Of the nearly 20 industries studied in a recent report on phishing awareness and vulnerability, healthcare emerged as one of the most phishing-prone.

That's one of the uptakes of the latest "Phishing by Industry Benchmarking Report" by KnowBe4, maker of anti-phishing security solutions. KnowBe4 measured the security awareness of end users across 19 industries globally by tallying "the number of employees [in each industry] who clicked a simulated phishing email link or opened an infected attachment during a testing campaign using the KnowBe4 platform." It then used that number to give each industry a so-called "Phish-prone Percentage" score. The lower the score, the less susceptible an industry's workers are to phishing schemes.  

Across both small and medium-sized organizations, the "healthcare & pharmaceutical" industry (healthcare for short) was the most suscpetible to phishing tactics. Healthcare organizations with fewer than 250 employees had an average PPP of 32.3 percent; those with between 250 and 999 employees had a PPP of 35.8%

"We now see the Healthcare & Pharmaceuticals industry as the highest at risk for both small- and medium-sized organizations," KnowBe4 said.

(Among organizations with north of 1,000 employees, healthcare still had a woefully high PPP score of 46.7 percent, but three other industries fared worse: insurance, energy & utilities, and consulting.)         

In a statement, KnowBe4 said healthcare's poor showing was "concerning," given that the industry trades in particularly sensitive data, from medical records to financial records, and because cybersecurity attacks on medical infrastructure can be especially debilitating to communities. 

Citing data from the FBI's internet crimes group, KnowBe4 noted that "most healthcare organizations allocate less than six percent of their IT budget for cybersecurity," despite those organizations being the target of more ransomware attacks than any other since the pandemic. 

Healthcare's high PPP score points to the need for more extensive anti-phishing training among healthcare workers, according to the company. 

"[H]ealthcare employees are the sector's largest attack surface, making security awareness training a vital tool to defend against cybersecurity threats," said KnowBe4 CEO said Stu Sjouwerman. "An educated workforce forms a strong human firewall, which is key to practicing safe cyber habits and building a strong security culture. For the U.S. healthcare industry, this could result in employees around the country making proactive security decisions that lead to less attacks, driving the trend down while protecting the privacy of patients." 

KnowBe4's 2023 report is available to download here with registration.