Ninety percent of health organizations experienced an email-borne security threat in the past year according to a new survey, and researchers believe that employee security awareness training is not properly prioritized within cyber resilience programs.
The survey, from HIMSS Media and mail and data security company Mimecast Limited, included 101 respondents who have significant involvement with email security initiatives at U.S. hospitals and health systems, according to officials.
Of those organizations who experienced an email-borne attack in the last year, 25 percent of respondents stating these attacks were very or extremely disruptive. According to the research, the top attack types targeting healthcare organizations’ email are malicious URLs and broad phishing attacks.
Even though about three in four organizations reported having or are in the process of rolling out a comprehensive cyber resilience program, only half of respondents disclosed high levels of confidence with their current email security deployment.
To this end, the data showed that 72 percent of organizations experienced downtime as a result of an attack, with productivity (55 percent), data (34 percent) and financial (17 percent) being the three most common types of losses. Healthcare organizations experiencing the most disruptions over the course of the last 12 months were hit more frequently by attacks impersonating trusted vendors or partners (61 percent) and credential harvesting focused phishing attacks (57 percent) in comparison to other kinds of email-borne attacks.
Researchers noted that employee training is key element of a comprehensive cyber resilience program – one that is often overlooked. Seventy-seven percent of respondents agreed that employee-focused security awareness training is essential to protecting their organization against email-borne attacks, yet 40 percent indicated that their organization provides security training less than once per quarter. Notably, 11 percent admitted to only offering trainings during onboarding or ad hoc after a negative incident had occurred.
Matthew Gardiner, director of enterprise security at Mimecast, stated, “The popularity of email as a communications channel makes it one of the top attack vectors used to target healthcare organizations. All the reasons it is effective for legitimate use, makes it a key path for threat actors to use maliciously, often with minimal efforts and a high return on investment.
He advised, “Organizations are better off doing five minutes of training once a month, instead of 15 minutes of training once a quarter,” said Gardiner. “Even though it’s the same amount of time, it’s better to do the training more often so the information stays top of mind.”