Research looks to explain why healthcare employees fall prey to phishing
Efforts by healthcare providers and insurers to improve information security are being thwarted because employees won’t stop clicking on phishing emails.
A study by researchers at Massachusetts General Hospital, the Massachusetts Institute of Technology and University of Muenster, Germany, investigates why clicking continues by analyzing the actual clicking data.
Researchers conducted surveys in hospitals to assess compliance intention of clickers, matching their results with their actual clicking data derived from phishing campaigns.
The research looked at the impact of the Theory of Planned Behavior (TPB), which aims to predict a person’s intention to engage in a behavior that will have an expected outcome after evaluating risks and benefits, according to the Boston University School of Public Health.
TPB is important because digitization of health records is transforming the health industry and by providing and sharing information via information systems there is less chance for human error as patients are monitored often, researchers explain.
However, data breaches can have significant consequences for patient safety and the organization as a whole, as just one innocent click could expose a network to hackers.
Consequently, the researchers—noting that another recent study on phishing found 14 percent of phishing emails being clicked by hospital employees—take healthcare organizations to task for the lack of better security.
While providers are taking steps to educate employees and increase cybersecurity awareness, the efforts remain insufficient, as evidence shows that 70 percent of hospitals have not established sufficient privacy and secure measures.
Just as trust has been researched on interpersonal levels, trust of technology also has grown. When individuals find themselves in risky situations in which they have to depend on technologies, trust in technology becomes essential, according to the researchers. “Individuals are sensitive to the functioning of that specific technology. Similar to trust in people, trust in technology is formed based on the perception of the attributes of technology.”
As part of the research, a cybersecurity company sent out phishing emails among several hospitals in the eastern United States. The emails were structured in a way that participants would not know they were being tested, so they behaved as if they got a real phishing email.
All of the emails had a hyperlink and collected data that included the identity of persons who got the email and whether they clicked the link. Participating hospitals got this information. In total, 488 persons participated in the study.
Among the principal findings, researchers found that attitudes, the subjective norm, which is the perceived social pressure to perform or not perform, and perceived behavioral control were positively related to the intention to comply with the organization’s information security policies. They also found that management can have an influence on how employees perceive security policies which includes an important benefit, as trust in management reduces the risk that employees perceive security policies as a sign of management distrust in them and their abilities. Consequently, employees may understand that internet security policies are not designed to reduce their freedom, but to enhance their protection.