There is a need for both simulated phishing attacks and question-based evaluations to ensure that healthcare cybersecurity measures are able to protect sensitive data, according to a recent survey.
The Wombat Beyond the Phish Report found that only 13 percent of healthcare respondents clicked on simulated phishing attacks, while there was a total of 31 percent missed questions in an assessment.
There were similar results in the manufacturing and energy sector, as only 9 percent of those respondents clicked on simulated phishing attacks. However, 29 percent of the questions were missed in the question-based evaluations.
For the report, Wombat analyzed 20 million questions and answers about end users’ ability to identify and manage security threats within their organization. Participating organizations were in various industries, including healthcare, technology, financial, manufacturing, and education.
“Clearly, phishing is a focus area across the industry, but the efforts can't stop there," Wombat President and CEO Joe Ferrara said in a statement. "To reduce cyber risk in organizations, security education programs must teach and assess end users across many topic areas, like oversharing on social media and proper data handling. Many of these risky behaviors exacerbate the phishing problem."
The report also found that healthcare workers missed more questions than other industries when it came to protecting confidential information. Specifically, respondents missed 5 percentage points more than the average.
Telecommunications, defense industrial base, and professional services were the next three industries that struggled the most in protecting confidential information.
When it comes to protecting mobile devices and their information, healthcare was once again one of the top three struggling industries. For example, the report found that 25 percent of questions were missed by healthcare workers in this area.
“Many of the most missed questions on this topic were around the area of Bluetooth connectivity,” the report stated about overall responses. “Most people did not realize that they can leave personal information behind on devices they have paired with, such as a rental car.”
Consumer goods was the industry that struggled the most in protecting mobile devices and their information, with 26 percent of questions missed in that area.
The report also showed that professional services and healthcare employees performed the lowest on the nearly 1 million questions asked about safe passwords.
“No solution on its own is a silver bullet, a defense-in-depth strategy is best with both technical and end-user focused safeguards working together to keep your organization safe,” the report’s authors wrote.
The healthcare cybersecurity knowledge gaps, in phishing issues particularly, need to be addressed by covered entities. This is especially true as study from the Anti-Phishing Working Group (APWG) published earlier this year found that the number of unique phishing websites has increased by 250 percent from October 2015 to March 2016.
Overall, researchers found 289,371 unique phishing websites in the first quarter of 2016.
“We always see a surge in phishing during the holiday season, but the number of phishing sites kept going up from December into the spring of 2016,” APWG Senior Research Fellow and Vice President of iThreat Cyber Group Greg Aaron said. “The sustained increase into 2016 shows phishers launching more sites, and is cause for concern.”
More sophisticated malware and malevolent codes were listed as the main reasons for the uptick in phishing websites and reports, according to the APWG study.