78 Percent of U.S. Healthcare Providers Were Hit by Email Cyber Attacks in 2017

Fully 78 percent of U.S. healthcare providers have already suffered an email-related cyber attack in the form of ransomware, malware, or both in the last 12 months, according to a recent Mimecast survey of 76 IT security professionals at U.S. healthcare facilities.

While 93 percent of respondents rate email as mission-critical to their organization and almost half say they can’t live with email downtime, 87 percent expect the volume of email-related security threats to increase or increase significantly in the future.

Eighty-three percent said ransomware is the most concerning type of email-related threat, followed by malware, targeted attacks such as spear phishing, and business email compromise.

Four out of five respondents use email to share protected health information (PHI).

Improving Resilience

Ninety-seven percent of respondents have a high level of concern about cyber security and resilience. In response, 94 percent are working on initiatives to prevent malware and/or ransomware attacks, 90 percent are providing employees with security awareness training, and 77 percent are working to secure email.

“This survey clearly demonstrates that email is a mission-critical application for healthcare providers and that cyber threats are real and growing — surprisingly, even more so than the threats to electronic medical records (EMRs), laptops and other portable electronic devices,” Mimecast cyber resilience strategist David Hood said in a statement.

“It’s encouraging that protecting the organization and training employees are top initiatives for next year, but the survey suggests the industry has work to do,” Hood added.

To improve email security, Mimecast suggests taking the following five key steps:

  1. Train employees on the risks inherent in email — real-time reminders are better than annual training.
  2. Analyze inbound attachments with multiple AV engines, safe file conversion and behavioral sandboxing.
  3. Apply URL checking at the time a user clicks, not when it enters the organization.
  4. Inspect outbound emails for protected health information, other sensitive content and threats.
  5. Increase cyber resilience against ransomware and other sources of data destruction with backup capabilities and continuity solutions.

Growing Awareness

Separately, PhishMe’s 2017 Enterprise Phishing Resiliency and Defense Report, based on a study of 1,400 of the company’s customers worldwide, found that susceptibility to phishing emails has dropped steadily over the past few years, from 14.1 percent in 2015 to 12.9 percent in 2016 and 10.8 percent in 2017.

At the same time, reporting rates have risen from 13.8 percent in 2015 to 16.2 percent in 2016 and 20.7 percent in 2017.

While fear, urgency and curiosity were the top emotional motivators behind successful phishing attacks in previous years, they’ve been replaced by entertainment (19.5 percent), social media (16 percent) and reward/recognition (13.8 percent).

“With phishing attacks up 65 percent worldwide from last year, this continues to be the number one cyber threat to organizations of all sizes,” PhishMe CTO and co-founder Aaron Higbee said in a statement. “Phishing attacks have the ability to skirt technology and target human emotion, making it imperative that organizations empower their employees to be part of the solution.”

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles