Assuntos
Registros Eletrônicos de Saúde/estatística & dados numéricos , Aceitação pelo Paciente de Cuidados de Saúde/estatística & dados numéricos , Smartphone/estatística & dados numéricos , Interface Usuário-Computador , Boston , Estudos de Casos e Controles , Registros Eletrônicos de Saúde/normas , Humanos , Razão de Chances , Smartphone/instrumentação , Smartphone/normas , Estatísticas não ParamétricasRESUMO
Importance: Cybersecurity is an increasingly important threat to health care delivery, and email phishing is a major attack vector against hospital employees. Objective: To describe the practice of phishing simulation and the extent to which health care employees are vulnerable to phishing simulations. Design, Setting, and Participants: Retrospective, multicenter quality improvement study of a convenience sample of 6 geographically dispersed US health care institutions that ran phishing simulations from August 1, 2011, through April 10, 2018. The specific institutions are anonymized herein for security and privacy concerns. Exposures: Simulated phishing emails received by employees at US health care institutions. Main Outcomes and Measures: Date of phishing campaign, campaign number, number of emails sent, number of emails clicked, and email content. Emails were classified into 3 categories (office related, personal, or information technology related). Results: The final study sample included 6 anonymized US health care institutions, 95 simulated phishing campaigns, and 2â¯971â¯945 emails, 422â¯062 of which were clicked (14.2%). The median institutional click rates for campaigns ranged from 7.4% (interquartile range [IQR], 5.8%-9.6%) to 30.7% (IQR, 25.2%-34.4%), with an overall median click rate of 16.7% (IQR, 8.3%-24.2%) across all campaigns and institutions. In the regression model, repeated phishing campaigns were associated with decreased odds of clicking on a subsequent phishing email (adjusted OR, 0.511; 95% CI, 0.382-0.685 for 6-10 campaigns; adjusted OR, 0.335; 95% CI, 0.282-0.398 for >10 campaigns). Conclusions and Relevance: Among a sample of US health care institutions that sent phishing simulations, almost 1 in 7 simulated emails sent were clicked on by employees. Increasing campaigns were associated with decreased odds of clicking on a phishing email, suggesting a potential benefit of phishing simulation and awareness. With cyberattacks increasing against US health care systems, these click rates represent a major cybersecurity risk for hospitals.
Assuntos
Segurança Computacional , Correio Eletrônico , Sistemas de Informação Hospitalar/normas , Recursos Humanos em Hospital/estatística & dados numéricos , Gestão de Riscos , Segurança Computacional/normas , Segurança Computacional/estatística & dados numéricos , Coleta de Dados , Hospitais/estatística & dados numéricos , Humanos , Melhoria de Qualidade , Estudos Retrospectivos , Gestão de Riscos/métodos , Gestão de Riscos/estatística & dados numéricos , Estados UnidosRESUMO
BACKGROUND: US cholesterol guidelines use original and simplified versions of the Framingham model to estimate future coronary risk and thereby classify patients into risk groups with different treatment strategies. We sought to compare risk estimates and risk group classification generated by the original, complex Framingham model and the simplified, point-based version. METHODS: We assessed 2,543 subjects age 20-79 from the 2001-2006 National Health and Nutrition Examination Surveys (NHANES) for whom Adult Treatment Panel III (ATP-III) guidelines recommend formal risk stratification. For each subject, we calculated the 10-year risk of major coronary events using the original and point-based Framingham models, and then compared differences in these risk estimates and whether these differences would place subjects into different ATP-III risk groups (<10% risk, 10-20% risk, or >20% risk). Using standard procedures, all analyses were adjusted for survey weights, clustering, and stratification to make our results nationally representative. RESULTS: Among 39 million eligible adults, the original Framingham model categorized 71% of subjects as having "moderate" risk (<10% risk of a major coronary event in the next 10 years), 22% as having "moderately high" (10-20%) risk, and 7% as having "high" (>20%) risk. Estimates of coronary risk by the original and point-based models often differed substantially. The point-based system classified 15% of adults (5.7 million) into different risk groups than the original model, with 10% (3.9 million) misclassified into higher risk groups and 5% (1.8 million) into lower risk groups, for a net impact of classifying 2.1 million adults into higher risk groups. These risk group misclassifications would impact guideline-recommended drug treatment strategies for 25-46% of affected subjects. Patterns of misclassifications varied significantly by gender, age, and underlying CHD risk. CONCLUSIONS: Compared to the original Framingham model, the point-based version misclassifies millions of Americans into risk groups for which guidelines recommend different treatment strategies.