Phishing simulations expose employees to realistic phishing emails, helping identify vulnerabilities in human defenses and reducing the likelihood of falling victim to real attacks over time. A multicenter study across six U.S. healthcare institutions published in the JAMA Network noted, “Phishing is a common attack strategy against health care system employees and can be a remarkably accessible, low-cost, and effective way of obtaining real credentials to health care information systems or inducing employees to click on malicious software.” The study found that about one in seven phishing emails were initially clicked by employees, but repeated simulation campaigns decreased this rate.
Human errors in HIPAA breaches
A comprehensive study published in the Online Research Journal of Perspectives in Health Information Management that looked at 1,485 healthcare cybersecurity incidents affecting over 141 million records found that approximately 73 percent of affected records resulted from unintentional human factors, such as carelessness and negligence. The study goes on to note, “We hypothesized that data breaches in healthcare caused by unintentional human factors, such as carelessness, negligence, and falling victim to phishing and ransomware, outnumber those caused by malicious intent. Most healthcare executives lack overall information security, employee security awareness, and incident response strategies.” Common examples of human error include workforce members inadvertently emailing protected health information (PHI) to incorrect recipients, failing to use blind-copy functions when sending emails, and mistakenly mailing PHI to wrong addresses.
These errors reflect lapses in adherence to established policies rather than malicious intent. Notably, phishing attacks, where employees fall victim to deceptive emails, accounted for the largest share of records compromised by human error, affecting over 66 percent of the total breached records in this category. Other unintentional causes include technical misconfigurations by staff.
The problem with traditional training modules
Relying on standardized step-by-step instructions and written protocols can’t prepare staff for unexpected emergencies or unusual situations. A BMJ Quality & Safety ‘Issues in the design of training for quality and safety’ provides insight into the state of training, “Until very recently, healthcare delivery has been relatively untouched by advances in information technology and system engineering approaches that have transformed other sectors of society.” When training focuses mainly on memorizing checklists rather than building critical thinking and problem-solving skills, healthcare workers may struggle to respond effectively when things don’t go as planned.
On top of that, many healthcare organizations face underfunded IT systems and staff shortages, which limit their ability to provide thorough cybersecurity training. This often leads to risky behaviors like sharing passwords or using weak login practices. Altogether, this gap between textbook training and real-world demands leaves healthcare teams less prepared and healthcare organizations more vulnerable to evolving cyber threats.
What phishing simulations are and how they work
Phishing simulations are controlled, authorized exercises designed to mimic real-world phishing attacks in order to test and improve healthcare employees’ ability to recognize and respond to malicious emails. These simulations involve sending carefully crafted emails that resemble genuine phishing attempts, often incorporating tactics such as creating a sense of urgency, impersonating authority figures, or personalizing messages based on current events or organizational context to increase their realism and effectiveness.
For example, a large Italian hospital with over 6,000 staff conducted multiple phishing campaigns, finding that customized phishing emails tailored to local events were more likely to be opened and clicked than generic ones. When employees interact with these simulated phishing emails, they are immediately redirected to educational content that explains the risks and teaches how to identify phishing red flags, reinforcing learning in real time.
This immediate feedback loop helps transform a potentially risky behavior into a valuable training moment. Phishing simulations can be deployed organization-wide without disrupting daily workflows, making them a practical and scalable solution. Repeated simulations have been shown to reduce susceptibility over time; initial click rates around 16-30% can drop to single digits after multiple campaigns.
Why simulations satisfy ongoing security training
Phishing simulations immerse staff in realistic scenarios where they receive emails crafted to mimic actual phishing attempts. A Digital Health study provides a perspective on the benefit of phishing simulations: “Phishing simulations ensure that the skills and awareness of the users are tested in a naturalistic setting; users should hypothetically act in the same way as if they received a real phishing email.” According to the above mentioned JAMA Network study, nearly one in seven simulated phishing emails were initially clicked by employees.
However, the study also demonstrated that with repeated phishing campaigns over time, the likelihood of employees clicking on malicious emails decreased, from median click rates around 30.7 percent dropping to as low as 7.4 percent after multiple simulation rounds. These simulations provide real-time data that allow organizations to identify high-risk individuals or groups who may benefit from targeted education. By taking an active and not passive approach, phishing simulations directly address the human factor.
The metrics that help identify staff for compliance training
Metrics like phishing click rates, threat reporting rates, and repeat offender tracking, together, reveal who is most susceptible to falling for phishing attempts and who actively recognizes and reports suspicious emails. A high click rate on simulated phishing emails indicates employees who may lack awareness or vigilance, while a low reporting rate suggests disengagement or unfamiliarity with security protocols.
Organizations can use these metrics to segment their workforce into risk categories, allowing security teams to prioritize training resources effectively. This ensures that employees exhibiting risky behaviors receive customized education focused on their specific vulnerabilities, like recognizing phishing cues or practicing safer email habits. Alerts generated from these metrics enable immediate interventions, like sending tailored reminders or temporarily restricting access, to prevent potential breaches before they occur.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What are common examples of human errors that lead to HIPAA breaches?
Typical human errors include misdirected emails or faxes containing PHI, loss or theft of unencrypted devices such as laptops or USB drives, improper disposal of records, and failure to use blind-copy functions when emailing multiple recipients.
Why is human error so prevalent in healthcare cybersecurity incidents?
Healthcare environments are high-pressure, often with understaffed IT teams and legacy systems that are difficult to secure. Employees may lack sufficient cybersecurity training or be overwhelmed by workflow demands, leading to shortcuts or lapses in security hygiene.
What are the main causes of healthcare data breaches?
Insider threats, hackers, and vulnerabilities in third-party relationships are primary drivers.
How long does it typically take for healthcare organizations to notify affected individuals after a breach?
In 2024, the average time to notify individuals after a breach was 205 days, up from 177 days the previous year. This delay can leave patients unaware of risks to their personal data for extended periods.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Kirsten Peremore
