The security of health care data and systems is rapidly emerging as a critical component of hospital infrastructure, and attacks on hospital information systems have had substantial consequences, with closed practices, canceled surgical procedures, diverted ambulances, disrupted operations, and damaged reputations. Attacks against hospitals have been increasing, with substantial financial cost as well. In a recent well-publicized example, a large hospital network was taken offline by a virus for almost 2 weeks, resulting in service disruption, patient confusion, and delays in radiation therapy, among other repercussions. Health care delivery has become increasingly dependent on integrated, complex information systems that are susceptible to disruption. Securing our health information systems is critical to safe and effective care delivery and is now of public health concern.⁷

Phishing is the practice of deceiving individuals into disclosing sensitive personal information or clicking on links that introduce malicious software through deceptive electronic communication.⁸ Usually done via email, phishing is a common attack strategy against health care system employees and can be a remarkably accessible, low-cost, and effective way of obtaining real credentials to health care information systems or inducing employees to click on malicious software.⁹ Phishing emails can be realistic, and the sender’s identity is frequently spoofed, or deliberately faked, so as to appear to be sent by a trusted individual or organization. Once an attacker has access to a system, they can steal personally identifiable information and sell it for profit, disrupt system availability, encrypt a database and demand a ransom payment to unlock it (“ransomware”), manipulate and falsify clinical data, or perform other malicious activities.A recent report indicated that 55% of physicians have experienced a phishing attack.

Employee awareness and training represent an important component of protection against phishing attacks. One method of generating awareness and providing training is to send simulated phishing emails to a group of employees and subsequently target educational material to those who inappropriately click or enter their credentials. For reference, 2 examples of phishing emails are listed in eTable 1 in the Supplement. The first email is a phishing simulation, and the second is an actual phishing email received at 1 of the participating institutions. As shown, the emails can be realistic and often appear to be sent by a trusted individual or member of the employee’s organization. Phishing simulation is common in many industries and is also being used in health care, typically as a training and improvement initiative. The simulated emails are designed to be as close as possible to real phishing emails; if the simulated email is clicked, it is used as a real-time opportunity to provide short phishing education to the employee. Several vendors exist that offer phishing simulation as a service (eg, composing and sending the simulation emails, collecting employee responses, providing phishing training, and reporting on click rates to hospital leadership). In this context, we examined the practice of phishing simulation and the extent to which health care employees are vulnerable to phishing simulations and identified potential determinants of vulnerability to email phishing simulation.