Case Study: Phishing Training in a Large Hospital
Post Summary
Hospitals are prime targets for phishing attacks due to high-pressure environments and valuable patient data. A case study from Fondazione Policlinico Gemelli, a large Italian hospital, reveals how phishing training can reduce risks. Key takeaways include:
- Realistic simulations work best: Customized phishing emails mimicking internal communications were more effective in identifying vulnerabilities than generic templates.
- Immediate feedback improves outcomes: Staff who received on-the-spot training after falling for phishing attempts were less likely to repeat mistakes.
- Collaboration is key: Success depended on teamwork across departments, clear communication, and avoiding punitive approaches.
- Results show progress: Click rates on phishing emails dropped significantly, and staff began actively reporting suspicious emails.
This approach highlights how consistent training and engagement can help healthcare organizations protect sensitive data and maintain patient care systems.
The Problem: Phishing Risks Before Training
What Prompted Action: Incidents and Risk Assessment
In October 2020, the University of Vermont Medical Center faced a serious breach when a staff member unknowingly clicked on a phishing email. That single action triggered ransomware, locking the hospital’s EMR system for an entire month. The fallout was severe - patients had to be diverted, and staff resorted to manual operations [4].
Phishing was responsible for 60% of all data breaches in the healthcare industry, and attacks on healthcare organizations globally were increasing at more than twice the rate of other sectors [10]. Valerie Breslin Montague from Nixon Peabody LLP summed it up well:
It only takes one successful phishing incident to paralyze a system that is critical to the patient care provided by a health care organization [6].
This incident, coupled with broader trends, revealed serious vulnerabilities that demanded immediate attention.
Main Vulnerabilities Discovered
The hospital’s evaluation after these events uncovered several key weaknesses. One of the biggest issues was staff fatigue. Under high-pressure conditions, employees often missed subtle red flags in phishing emails [2][8]. In baseline assessments at similar institutions, 30% of employees fell for phishing attempts before any training was introduced [5].
Another alarming finding was the effectiveness of customized phishing emails. For example, in an Italian hospital, 62% of staff opened phishing emails tailored to local events, compared to 36% who clicked on generic ones [2]. Research confirmed that personalization made phishing attacks far more convincing [2].
Equally troubling was the general attitude toward cybersecurity. Many employees viewed it as someone else’s responsibility [7]. This mindset contributed to low reporting rates of suspicious emails. Traditional awareness efforts - like brochures, screensavers, and occasional reminders - failed to change behavior meaningfully [5]. It became clear that the hospital needed a completely new approach to protect its patients and critical systems effectively.
sbb-itb-535baee
How the Hospital Built and Launched Its Training Program
Training Methods and Technology Used
To address vulnerabilities in the third-party healthcare ecosystem, Fondazione Policlinico Gemelli developed a training strategy centered on realistic scenarios. The hospital launched a multi-phase simulation program using both generic and customized phishing emails. Over three campaigns, conducted between March 2019 and September 2020 at four-month intervals, the team worked with an external consultancy to manage backend software and email delivery [1].
What made the approach especially effective was the customization of phishing emails to resemble actual hospital communications. Instead of relying on generic templates, they designed emails mimicking internal messages - such as training reminders, Christmas bonus updates, and COVID-19-related notifications. This personalization paid off: 62% of staff opened these tailored emails compared to 36% who opened generic ones. Even more telling, click rates jumped from 7% for generic emails to 55% for customized attempts [1]. Employees who clicked on the links were redirected to a landing page explaining the simulation and providing eight actionable tips for spotting phishing threats [1]. For those who repeatedly engaged with the simulated phishing attempts - five or more times - the hospital required them to complete mandatory online courses through platforms like HealthStream [9].
This technical setup laid the foundation for widespread institutional participation. Such initiatives align with findings from the healthcare cybersecurity benchmarking study, which highlights the importance of maturity and resiliency in hospital defenses.
Who Was Involved and How They Communicated
The success of the training program depended on collaboration across multiple departments. At Fondazione Policlinico Gemelli, the Data Protection Office teamed up with the ICT Service to spearhead the initiative [1]. In the U.S., healthcare systems often involved chief information security officers, IT teams, and security operations centers, alongside breach response units that included HR, Legal, Operations, Communications, and Management.
For example, Geisinger Health System in Pennsylvania took a proactive approach by hiring a full-time cybersecurity communications specialist in 2019. David Stellfox, in this role, conducted monthly phishing simulations and organized presentations led by the CISO, addressing groups ranging from 20 to 1,500 employees [7]. To keep cybersecurity top of mind, the team utilized platforms like Yammer and regularly updated their SharePoint site.
Employees retain training better when delivered by engaged local colleagues, not distant administrators.
- David Stellfox, Cybersecurity Communications Specialist, Geisinger [7]
Transparency was a key communication strategy. Staff were informed about the phishing simulations but were not told when or what to expect. This approach helped build a culture of vigilance while avoiding unnecessary stress.
Problems Encountered During Rollout
Despite its thoughtful design, the program faced several hurdles. At Fondazione Policlinico Gemelli, a "Christmas bonus" phishing simulation had to be stopped after labor union complaints about the false promise of extra pay [1]. In another instance, an anti-virus system upgrade caused simulated emails to be flagged as spam, distorting the results.
Another significant challenge was overcoming the perception that the program was punitive. Initially, many employees hesitated to report mistakes, fearing disciplinary action for clicking on phishing links. Geisinger tackled this issue by emphasizing a supportive rather than punitive approach. As David Stellfox shared:
We steered very clear of any type of punitive approach. Our message is, 'We're here to help.' When people perceive that you mean that, they're much more willing to help you in return.
- David Stellfox, Cybersecurity Communications Specialist, Geisinger [7]
Phishing Training for Healthcare Workers - HIPAA Certify
Results: What Changed After Training
Phishing Training Results in Healthcare: Key Statistics and Outcomes
Numbers and Performance Data
The training programs led to measurable improvements in cybersecurity across various healthcare organizations. For example, at Geisinger Health System in Pennsylvania, phishing click rates decreased by over 50% between 2019 and 2021. This drop brought their performance below the peer group average, showcasing how consistent efforts can tackle even persistently high baseline rates [7].
Another instance comes from a major U.S. healthcare provider that introduced callback phishing training in May 2024. Among 237 high-risk users, phishing risk was reduced by 28%, with the Phish-prone Percentage falling from 7.5% to 5.4%, thanks to a 97% training completion rate [3]. Tailored phishing emails also proved to be a more effective learning tool than generic ones. At an Italian hospital, only 38% of staff avoided customized phishing attempts, compared to 64% who successfully identified generic phishing emails [2][8].
A broader study involving 5,416 healthcare employees across 20 campaigns (from July 2015 to May 2018) revealed some persistent challenges. While 17.9% of participants never clicked on phishing links, 65.3% clicked at least twice. Even after mandatory training for those who clicked five or more times, their click rates remained between 10% and 25% in subsequent campaigns [9]. Despite these challenges, the training programs also brought about noticeable changes in staff behavior and attitudes.
How Staff Behavior and Attitudes Changed
Beyond the numbers, the programs fostered a significant shift in staff behavior and attitudes, signaling the development of a stronger cybersecurity culture. At Geisinger, a redesign of the security team’s SharePoint site led to a 300% increase in visitors, making cybersecurity resources far more accessible [7]. This accessibility, coupled with ongoing engagement, prompted a cultural change: employees from departments like food service and payroll began actively reporting suspicious emails to the security team. This marked a shift from seeing cybersecurity as "someone else’s issue" to embracing it as a shared responsibility.
Our success wasn't achieved because of mandatory, computer-based training. We didn't tweak our policies or enforce them differently... what really moved the needle for us was visibility – visibility and engagement. - David Stellfox, Cybersecurity Communications Specialist, Geisinger [7]
At Spencer Private Hospitals in East Kent, similar progress was observed. Senior Management Team member Alex Aucutt-Ford noted a clear change in staff attitudes after introducing phishing simulations via Microsoft 365 and adding a "phish hook" reporting button [12]. The reporting data became formal evidence on the organization’s risk register, and staff who had previously been hesitant to engage with security protocols began using these new tools. This shift was further supported by immediate feedback loops, which reinforced positive behavior changes [11][12].
What Other Hospitals Can Learn From This Case
Main Lessons From This Experience
There are key takeaways from this case that can help other hospitals improve their phishing training efforts. One standout point is that customized training beats generic approaches. Locally tailored phishing simulations reveal weaknesses that generic templates often miss, proving that relevance matters more than sheer volume of training efforts [8].
Another critical insight is that real-time feedback works better than delayed training. Between July 2015 and May 2018, a major U.S. healthcare system ran 20 phishing campaigns targeting 5,416 employees. They found that employees who received immediate, on-the-spot training after falling for phishing attempts were less likely to repeat their mistakes. In contrast, those receiving delayed training showed persistent click rates of 10% to 25% in later campaigns [9].
Lastly, engagement and visibility foster meaningful change. At Geisinger, presentations led by the Chief Information Security Officer (CISO) created a deeper connection with employees. These sessions, which ranged from small groups of 20 to larger gatherings of 1,500, made a lasting impression. As David Stellfox, Cybersecurity Communications Specialist at Geisinger, explained:
Employees remember training content better when they can connect it to people – colleagues in the organization who care enough to show up, rather than some distant corporate office simply administering rules [7].
These lessons provide a clear roadmap for healthcare organizations looking to strengthen their defenses.
Practical Steps for Implementation
To get started, hospitals should run initial phishing simulations to establish a baseline, identifying both awareness levels and high-risk groups. Research shows that callback phishing simulations can lower risk by over 25% among employees who are most vulnerable [3].
Involving stakeholders early is crucial to avoid backlash. A study conducted in an Italian hospital highlighted that poorly handled simulations - such as misleading or overly deceptive messages - can provoke resistance from employees and unions. Fabio Rizzoni and his team emphasized the importance of coordination, stating:
successful, ethical phishing simulations require coordination across the organization, precise timing and lack of staff awareness [8].
Another example comes from Spencer Private Hospitals in East Kent, where phishing data was integrated into the hospital's formal risk register. This approach, led by Senior Management Team member Alex Aucutt-Ford, helped secure executive support and align with NHS England's Data Security Protection Toolkit requirements [12].
To streamline these efforts, healthcare organizations can use risk management platforms like Censinet RiskOps™. These tools allow hospitals to track the effectiveness of awareness campaigns, pinpoint security gaps, and automate reporting for leadership teams. By doing so, phishing training data becomes part of a broader strategy for managing third-party and enterprise risks.
Conclusion: Making Cybersecurity Part of Hospital Culture
The experiences of institutions like Geisinger and UZA highlight an important lesson: phishing training isn’t a one-and-done activity - it’s an ongoing process that requires regular updates and attention. As Kathy Hughes, VP and CISO at Northwell Health, aptly stated:
There is no beginning and no end. It is just something that is continuous and needs to be constantly reevaluated [13].
At Geisinger, phishing click rates dropped by more than half, while UZA (University Hospital Antwerp) saw a dramatic reduction in susceptibility - from 30% to just 8% within a few months. These results prove that consistent effort yields measurable progress [7][5]. The key lies in tailoring training to individual roles, fostering engagement, and shifting from punitive approaches to positive reinforcement.
Creating a visible and personal connection to cybersecurity is another critical component. David Stellfox from Geisinger summed it up perfectly:
Our message is, 'We're here to help.' When people perceive that you mean that, they're much more willing to help you in return [7].
This approach shifts the narrative from rigid corporate policies to fostering genuine collaboration between security teams and staff. Programs like Northwell Health's "Cyber Champion" initiative are a great example. By rewarding employees with certificates and merchandise for reporting suspicious emails, they demonstrate how recognition and incentives outperform fear-based tactics [13].
The real transformation happens when staff no longer see cybersecurity as "someone else’s job." Instead, they actively participate by reporting threats and understanding how safeguarding patient data directly protects patient safety. This shift - from passive compliance to active engagement - is the foundation of a sustainable security culture.
At the end of the day, hospital staff are the frontline defenders of patient data and operations [13]. Hospitals that embed phishing awareness into daily routines - using tools like Censinet RiskOps™ to manage and track risks - create safer environments for both patients and sensitive information. Regular simulations and continuous education ensure that cybersecurity becomes an integral part of hospital culture.
FAQs
How often should a hospital run phishing simulations?
Hospitals are advised to run phishing simulations roughly every four months. A case study demonstrated that spreading three campaigns evenly over the year complements annual training programs. This approach not only strengthens cybersecurity awareness but also helps evaluate and mitigate risks more effectively.
How do we keep phishing training from feeling punitive?
To make phishing training feel less like a punishment, it’s essential to create an environment that’s both supportive and engaging. Focus on educating employees, using positive reinforcement, and tying the lessons to their everyday tasks. Incorporate real-world scenarios that employees can relate to, and provide personalized feedback to make the experience more meaningful. Keep the training ongoing and interactive to help build a stronger sense of security awareness.
The goal should always be clear: reducing mistakes and improving awareness. Emphasize that the training is about strengthening security practices, not pointing fingers or assigning blame. This approach encourages participation and helps foster a sense of shared responsibility for keeping the organization safe.
What’s the best way to track and report phishing risk over time?
To effectively monitor and report phishing risks in healthcare, begin by setting up baseline metrics. This can be done through phishing simulations to gauge how often staff click on phishing links and how frequently they report them. Plan to run these targeted phishing campaigns regularly - every four months is a solid starting point - to identify trends over time. Dive into detailed analytics, such as click rates, reporting rates, and staff feedback, to evaluate how well training efforts are working. This approach allows you to fine-tune strategies and maintain a clear understanding of changing risks.
