How to Cut Healthcare Cyber Incidents by 80 Percent

Healthcare data breaches are among the most costly of any industry, and phishing attacks are the number one cause. 

Security technologies, while essential, are not enough to mitigate the threat posed by phishing. Over 90 percent of data breaches contain a phishing component, and the average cost to remediate a data breach is $3.86 million.

However, the silver lining is that with an effective security awareness training program and by responding to user reported threats, these incidents will become significantly less prevalent. For this reason, it is critical that employees are prepared to identify and report phishing emails when they are missed by filtering technologies.

The Cost of Data Breaches

Recent Healthcare Data Breach Records Stolen Estimated Cost
Anthem Blue Cross 78.8 Million $23.3 Billion
Premera Blue Cross 11 Million $2.8 Billion
Banner Health 3.62 Million $9.3 Million

Data Breach Risk and Phishing

Based on Phishlabs' analysis, the average phishing susceptibility rate of healthcare organizations is approximately 30 percent. That means for every 100 malicious emails received by employees, 30 will result in an opened link/attachment or similarly undesirable action.

  Before Training After Training
Susceptibility Rate 30% 5%
Malicious Emails in User Inboxes (Daily) 124 124
Security Incidents (Daily) 37 6
Security Incident (Annually) 13,305 2,190

In-House vs. Managed Service

The proof is in the pudding. Security awareness training results show that employees drastically improve their ability to identify and report malicious emails. Due to shortcomings from network technology, it's not enough that users are able to simple identify and ignore a phish, they must also take action and report the suspicious content, too.

Reported phishing emails are instrumental in the prevention and early identification of breaches. However, in-house security teams are typically unequipped to respond promptly to reported emails due to time and resource constraints. Based on the numbers below, using a partner to offset these gap areas will reduce incidents by as much as 80 percent.

Phishing Threat Analysis Provisions
(3-year cost estimate)
In-house 8 am - 5 pm In-house 24-7 PhishLabs
Est. Reported Emails (Annually) 27,000 27,000 27,000

Analysis and Response Time

30+ minutes/email + backlog 30+ minutes/email + backlog Near Real-time Response*
Minimum FTEs required by United States Health Systems

One Manager
One Junior Analyst

One Manager
Two Junior Analysts 

3-Year Cost $900,000 $1.2 Million $315,000

*10 min median response time to confirm an email as malicious and take action to deliver IOCs and other actionable intelligence
**Managers est. $200,000/year, junior analysts est. $100,000/year (inc. salary, bonus, benefits, training, etc.)

PhishLabs offers a fully managed, customized anti-phishing training solution and a team of experts to monitor, analyze, and help mitigate employee-reported emails 24/7/365. Partnering with Phishlabs offers healthcare organizations a way to drastically reduce cyber incidents without overstretching internal security resources.

Attending HIMSS19? Join our presentation, The Phishing Incident Response Playbook. Most organizations understand the threat posed by phishing and have developed some form of anti-phishing program. However, many do not have resources and processes in place to quickly analyze and respond to all messages reported by users. Join this session to learn how to uncover, analyze, and contain phishing incidents. You can find us on Tuesday, February 12, 10:15 am in the Cybersecurity Command Center (Theater B).

Article Link: