Investigating into phishing risk behaviour among healthcare staff: The phish or the patient? (Preprint)

Abstract

Through phishing attacks, the memory of the negative impact of security breaches in healthcare will remain with the inflicted for long. The healthcare sector is mostly associated with time sensitivity and the urgency to access patients’ records, especially during emergency situations. This creates a sense of force for management to opt for a ransom payment. Phishing is one of the less difficult ways to circumvent sophisticated technical security measures and it is used to exploit the psychological and other factors of the healthcare system users to succeed in the ransomware attack.

Motivated by these, this study empirically examined the phishing susceptibility level among healthcare staff in Ghana. The study seeks to determine phishing appraisal threat levels among healthcare staff as well as their ability to resist phishing baits. Such knowledge would help hospital authorities to adopt better strategies to improve upon the security practice of the healthcare staff in a way towards mitigating real potential attacks

Guided with the state-of-the-arts in phishing simulated study in healthcare and after deeply assessing the ethical dilemmas, an SMS-based phishing simulation was conducted among healthcare workers in Ghana. The study adopted an in-the-wild study approach alongside quantitative and qualitative surveys.

From the state-of-the-art studies, the in-the-wild study approach was commonly used as compared to laboratory-based experiments and statistical surveys because its findings are generally reliable and effective. The attack results showed that more than half of the targeted healthcare staff (61%) were susceptible to the attack. A survival bias phone call made to the participants showed that some of the healthcare staff were not victims. They prioritized patient care whereas other staff were victims because they were distracted by patient care. This raised a vital question as to what caused the susceptibility; is it the patient or the bait in the phishing? The intended phishing behavior risk of healthcare workers was generally lower than their actual behavior. A correlation between perception and work factor variables showed that perceived barrier was a predictor of self-reported intended phishing behaviour among healthcare staff, workload significantly predicted self-efficacy risk (r=0.494, p-value=0.05) and work emergency predicted perceived barrier risk in the reverse direction at a significant level of r=-0.401, p-value=0.05.

Based on the results, the study outlined various study implications including phishing security training, awareness and incentives with future directions for the scientific community to explore.