The state of phishing in 2020 might be bad news for your clinic

Proofpoint, a leading global cybersecurity company, just released a report titled “The State of the Phish: an in-depth look at user awareness, vulnerability and resilience” that every clinic owner, manager, and privacy officer needs to read. The report examines data collected from 600 information security professionals in 7 countries. It lays out the real threat from phishing by exposing prevalence, preparedness, and how attacks get in to damage businesses.

It’s an important read that will provide you with many clues as to how you should protect your clinic from the very real threat of phishing.

Phishing is a growing threat for every type of business.

The report states that65% of US organizations experienced a successful spear phishing attack(a phishing attack that is targeted to a specific organization or individual) last year.Half of those organizations suffered a ransomware infectionbecause of it, and 35% of spear phished companies suffered financial loss.

86% of organizations in the study faced business email compromise (BEC) attacks. Over half of those companies saw more than 11 attempts, up to well over 100.

The most startling statistic to come out of the report is that33% of surveyed organizations paid a ransom to regain access to their data in 2019. Of those, 22% did not get their data back, and 2% had to pay more than they did initially to fully recover their data.

There is a long list of costs to an organization that suffers a phishing attack.

Proofpoint puts the potential damage businesses face from phishing attacks in clear focus with a detailed list of losses suffered directly or indirectly following an attack.

  • Business downtime– An attack will likely limit your ability to operate and divert human resources away from your core business for a period of time often measured in days, weeks, or months.
  • Remediation time – Many organizations that suffer these types of cyber attacks require months of effort to return to full strength operations that may require additional IT support.
  • Damage to reputation – Patients aren’t forgiving when clinics suffer a preventable privacy attack. Typically, clinics lose 30%-70% of patients immediately upon notification, and then they go tell their neighbors what happened.
  • Direct monetary losses – Loss of business due to downtime in addition to any potential ransoms paid to regain access to data as well as increased IT support costs can add up to six figure numbers quickly. That’s before fines.
  • Compliance issues/fines – Phishing and ransomware attacks are very often reportable privacy breaches. If a regulatory investigation determines your clinic did not have required policies and procedures in place, it is very likely that fines will be levied. The smallest fine for a HIPAA violation ever handed out so far was $10,000.
  • Legal fees – Navigating the aftermath of a privacy breach will require the support of legal advice. Privacy lawyers are specialized experts that are in high demand.


The report recommends you prioritize cyber security.

According to the authors, “If you deprioritize best practices and cybersecurity initiatives, so will your employees.”

78% of organizations say security awareness training reduces your organization’s susceptibility to phishing attacks. The Proofpoint survey found that only 31% of staff understand what ransomware is, and as little as 49% of people know what phishing is. Knowing the risks associated with phishing and ransomware is critical to keeping these attacks out of your clinic. Staff need to know what they’re looking for before they can block it.

Proofpoint suggests that you “set the tone that cybersecurity is important at all levels”. For starters, make security awareness training part of your on-boarding process and then keep those skills and knowledge sharp with on-going training.

Phishing and ransomware awareness is a part of your clinic’s overall privacy compliance program.