Email security metrics like phishing click rates, user reporting rates, and the share of suspicious emails that get blocked matter, because they put numbers behind both human behavior and technical gaps. Those numbers map directly to real risk. Roughly one in seven simulated phishing emails still gets clicked, and a small group of repeat offenders accounts for a large share of that risky behavior.
As the authors of a Journal of the American Medical Informatics Association study bluntly warn, “Because it only takes 1 successful phishing attack to cause substantial damage to a healthcare organization, these click rates (with or without training) are highly concerning.”
When staff see realistic simulations and receive timely feedback, susceptibility tends to drop over time. That trend provides concrete evidence that awareness programs are working, instead of assuming success based on annual training completion alone. When certain teams or roles continue to show elevated metrics, the data points directly to where extra controls are needed.
Technical metrics matter just as much. Measuring how much inbound email is classified as suspicious and how many threats are blocked shows the true scale of exposure facing the organization. Those figures help security leaders explain why investment in filtering, monitoring, and incident response is not optional but necessary.
MTTD usually refers to the average amount of time it takes for an organization to realize that a security incident has occurred. In plain terms, it measures how quickly a system notices that something is wrong. MTTD is treated as an indicator of resilience in cybersecurity environments because early detection limits how much damage an attacker can do before defenses kick in.
As research titled ‘Guarding Our Vital Systems: A Metric for Critical Infrastructure Cyber Resilience’ notes, “The increased occurrence and severity of cyber-attacks on critical infrastructure have underscored the need to embrace systematic and prospective approaches to resilience.” Faster detection is not just a technical goal; it is a prerequisite for containing harm.
In an email security context, MTTD translates to the time between when a malicious message lands in a user’s inbox and when it is recognized as dangerous and acted on. That action might involve an automated control flagging the message, a security team intervening, or a user reporting it, followed by removal or containment. The longer that window stays open, the more opportunity an attacker has to trick a user into clicking a link, sharing credentials, or launching malware.
MTTR reflects how efficiently an organization handles a security incident once it has been detected. It covers everything that happens after the alert, including triage and rolling out fixes like password resets or endpoint isolation. MTTR matters because phishing is still the most common way attackers break into healthcare environments.
A PLOS Digital Health study makes it clear, “Phishing attacks remain a leading cybersecurity threat in U.S. healthcare organizations,” with nearly 59 percent of major security incidents starting with general email phishing. Every delay in response gives attackers more time to exploit that initial foothold.
When response drags on, attackers can move laterally, steal credentials, or disrupt systems that support patient care. Longer response times lead to greater operational disruption, as attackers use the gap between compromise and intervention to spread and interfere with clinical communications. Even short delays can have outsized effects in environments that rely on email for scheduling, care coordination, and access to electronic health records.
A false positive happens when a legitimate email, such as a message from a patient or a routine vendor update, gets flagged as dangerous and never reaches the inbox. That kind of mistake in healthcare organizations does more than create annoyance.
It disrupts clinical workflows and slowly undermines trust in security alerts. Rigid, rule-based filters are a common cause. Teams can tune those rules, but doing so takes time and adds to alert fatigue for staff who already deal with heavy email volumes.
As one study ‘Why Employees (Still) Click on Phishing Links: Investigation in Hospitals’ puts it, “Hospitals have been one of the major targets for phishing attacks,” and despite ongoing compliance efforts, they “still significantly suffer from such attacks, impacting the quality of care and the safety of patients.”
A false negative is the opposite problem and often the more serious one. It occurs when a real phishing email slips through defenses and lands in a user’s inbox. That opens the door to stolen credentials, malware, and potential access to electronic health records.
Phishing email report rates show how often employees spot suspicious messages and actively report them to the security team, either during phishing simulations or in day-to-day work. These numbers in healthcare reveal how alert people really are.
As one multicenter hospital Digital Health study explains, “reporting behavior provides a complementary measure of phishing awareness that captures user vigilance beyond click-through rates alone.” When median click rates in US hospital simulations still hover around 16.7 percent, even in organizations running ongoing awareness programs.
In some large health systems, low engagement with flagged simulations helped identify groups of staff who were exposed to phishing attempts but did not report them. That insight allows security teams to move beyond broad, one-size-fits-all training and focus attention on higher-risk users who need extra support.
End-user click rate measures how often people actually click on links in phishing emails, usually during simulations, and it is one of the clearest ways to see how vulnerable employees are to social engineering. A JAMA Network study across U.S. hospitals that analyzed more than 2.9 million simulated phishing emails found a median click rate of about 16.7 percent, meaning nearly one in seven messages still gets clicked. Some institutions did better, while others saw click rates climb above 30 percent, showing how uneven risk can be across the sector.
The good news is that behavior can change. In one large hospital system, click rates fell from roughly 18 percent in early campaigns to about 7 percent by the third round of simulations. Repeated exposure helped staff recognize common tricks, like fake urgency or messages that pretend to come from internal systems. These results also show that risk is not evenly distributed. A small group of repeat clickers often drives a large share of the problem.
Account takeover attempts show up when attackers either succeed or come close to taking control of a user’s email account. In healthcare, these incidents usually trace back to phishing, followed by tactics like credential stuffing, password spraying, or hijacked sessions.
As one study ‘Healthcare Data Breaches: Insights and Implications’ puts it, “The study found that hacking/IT incidents are the most prevalent forms of attack behind healthcare data breaches, followed by unauthorized internal disclosures.” Across multi-year analyses, hacking alone accounted for more than 64% of exposed healthcare records
Tracking email volume by threat category means sorting incoming messages into buckets like phishing, malware, spam, or business email compromise, and then seeing how much of each shows up in the inbox over time. The exercise sounds simple, but the insight it provides is powerful.
The previously mentioned study, ‘Healthcare Data Breaches: Insights and Implications,’ found that about 17.5% of reported healthcare breaches between 2010 and 2019 involved email accounts, with phishing and ransomware becoming more common as attackers learned to hide in high-volume inboxes. When security teams break traffic down this way, patterns emerge quickly.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Long-term metric trends can reveal attacker preferences and seasonal patterns that help anticipate future campaigns.
Benchmarking is limited by underreporting, inconsistent definitions, and regulatory constraints around sharing security data.
Spikes in clicks or delayed responses often align with clinical workload surges, staffing shortages, or system downtime.