What Makes Healthcare So Vulnerable to Phishing Attacks?

April 1, 2021
April 1, 2021

Phishing has frightening implications for all of us—for our bank accounts, our credit worthiness, and our most private information—our healthcare data. But recent events have made it clear that phishing has some particularly severe consequences for healthcare organizations. So how do we prepare ourselves to defend against phishing attacks? More importantly, given that employees are the frontline in our defense against these kinds of attacks, how do we train employees to recognize and avoid the threats?

HealthStream interviewed Steven Conrad, Managing Director of MediaPro, to learn more about how healthcare organizations can defend against this type of cyberattack. Conrad has experience in improving organizational performance through effective learning solutions and has also worked at the strategic level with many organizations to determine how technology can be leveraged to improve human performance and protect organizations from cyberattacks.

What Makes Us Vulnerable?

When asked about employee readiness to defend against a breach, Conrad points to the results of a recent MediaPro survey that showed just 28% of healthcare employees demonstrated the privacy and security awareness necessary to prevent incidents that could lead to a breach. Of the 850 healthcare employees surveyed, the majority (72%) were rated a “security risk” or “novice” based on their survey responses, demonstrating a clear need for better training (Schwartz, 2017).

Conrad believes that the most susceptible organizations are the ones that fail to direct their focus and resources to where their organizations are really the most vulnerable–their people. Conrad says, “The hardware and software technology is great and is very effective, but now we need to focus on the human element and ensure that we are educating employees to properly protect data and reduce risk.” In healthcare, the biggest payout is by blocking access to data—in other words ransomware. Conrad says, “If a bad actor can lock down their files, they’re going to pay up and they’re going to pay up fast.”

Conrad cites several reasons healthcare is particularly vulnerable to cyberattacks. For one thing, healthcare simply doesn’t have the resources to protect themselves like other industries. Additionally, there is a relatively high employee turnover rate in healthcare, making training more complicated. It’s also an industry with a lot of very time-sensitive and critical data that is spread across multiple locations ranging from the inpatient setting to ancillary locations and physician offices.

Physicians and their office staff are key targets for ransomware and phishing attacks. Conrad explains, “They work in a fast-paced environment that values patient satisfaction. Because of this, they may look to respond quickly to a phishing email attempt and miss the warning signs. A hasty decision, made with good intentions, can easily lead to very severe consequences.”

This blog post excerpts an article in our complimentary eBook, Workforce Readiness: Preparing Today for Tomorrow’s Unknown. Download it here.


Schwartz, J. (2017). “Infographic: 2017 Privacy and Security Awareness in Healthcare,” MediaPro, https://www.mediapro.com/blog/infographic-2017-privacy-security-awareness-healthcare/