Are there any other preventive measures to avoid the attack?
I think that the way to prevent impact from phishing attack can be classify in 3 stage such as these:
Stage 1) The employee has received the phishing email.
I think training and instruction on phishing attack can prevent attack at this stage, as you mentioned above, but if they already fell for that, there must be second or third chance to prevent further impact and consequence in Stage 2 and 3.
Stage 2) The employee’s email account was compromised.
At this stage if the email was compromised, the monitoring of email activity can early detection of abnormal email activities by the hacker, and then get email account secure before the data breech was taken. Moreover, If the email account required to change password regularly every three month, the time period for the email account to be compromised will be shorter.
Stage 3) The personal data of the patients was access or copied.
If the patient data was contain in email, even the hackers can access the email, they cannot get access to the patient data if the data file was encrypted or required password login that was different from the email password. Moreover restriction of the email user that can send or receive patient data to be few as possible, so as to minimize number of vulnerable email account that hacker can access the patient data.