Cybersecurity threats are on the rise, especially within health care organizations. Successful attacks can jeopardize patient care and protected health information. While many hospitals have taken steps to educate, inform and forewarn their faculty and staff about these events, few studies have quantified how susceptible hospital workers are to phishing attacks.

In response, Brigham investigators are leading new research that addresses this question through a multicenter study — aggregating data from six health care institutions that ran phishing simulations over seven years. Researchers reported a high click rate for simulated phishing, but they also saw a reduction in click rates with campaigns to increase awareness about recognizing phishing and similar concerns. The team’s findings were published this month in JAMA Network Open.

William Gordon

William Gordon

“Information security is increasingly important for health care organizations, and cybersecurity attacks are a major risk to a hospital’s ability to operate and deliver care,” said corresponding author William Gordon, MD, MBI, of the Division of General Internal Medicine and Primary Care. “Our study suggests that while the risk is high, there is an opportunity to mitigate it through training.”

Phishing attacks sent through email can lure individuals into disclosing sensitive personal information, such as hospital credentials, and clicking on links that download malicious software. Many organizations, including the Brigham, have made efforts to educate their faculty and staff to recognize and report these attacks by sending simulated phishing emails and subsequently retraining those who fall for them.

Brigham investigators collected data from the anonymized U.S. health care institutions that represented a broad spectrum of care and geography. In total, they analyzed click rates for more than 2.9 million simulated emails. The team reported that users clicked a simulated phishing link in 14 percent of these emails — roughly one in every seven messages. However, the odds of clicking on a phishing link decreased with frequent educational campaigns about phishing. After institutions had run 10 or more campaigns, the odds that faculty and staff would click the links in these emails decreased by more than a third.

The authors noted that many factors play into why an individual clicks on an email and that their study, which did not drill down to the level of looking at individual users, could not take all these complexities into account. In addition, the study could not answer whether the improvements may be sustainable, and for how long, after an educational campaign concludes.

“The rates that we report here are consistent with findings across other industries, where click rates can range from 13 to 49 percent, depending on the industry,” said Gordon. “But we know that in health care, the stakes are high. Patient data, patient care, patient trust and financial stability may be on the line. Understanding susceptibility, but also what steps can be taken to mitigate it, are critical as cyberattacks continue to rise.”

Phishing 101: 5 Tips for Protecting Your Email

Phishing is the fraudulent practice of sending emails that are crafted to trick you into giving up sensitive information or performing an action, such as clicking a link or opening an attachment. It may even look like it comes from a trusted, familiar source like Partners HealthCare, Human Resources or a bank.

Here are five things you can do identify and fight phishing:

  • Be skeptical of emails from suspicious senders that are labeled “urgent” or rush you to take action.
  • If you receive a message that says you have a package being delivered when you aren’t expecting anything, it may be a phishing attempt.
  • Look out for spelling errors, odd formatting or being addressed as “dear sir or madam” in emails.
  • In the preview pane of Outlook, hover your mouse over the sender’s name to view their email address. Take note of whether it looks incorrect or unusual. For example, if the sender’s address comes from instead of or contains long strings of numbers and letters, then it is most likely a phishing attempt.
  • If you believe you’ve received a phishing email, highlight the message and click the “Report Phishing” button in the Outlook toolbar. You can also forward the message as an attachment to