Hospitals and healthcare institutions are increasingly being targeted by large-scale cyberattacks. Against this background, the UZA joined forces with Phished, to guarantee cyber awareness training for all employees.
When hospitals fall victim to hackers, lives are at stake. Technology facilitates modern medicine, but at the same time, it forces such institutions to rely more and more on new techniques to secure their networks. "Every hospital is doing its utmost to make its staff more aware of today's digital dangers," says Filip Goyens, DPO at UZA (Antwerp University Hospital), "and we are doing so by putting Phished at the centre of our strategy."
Organisations that are hit by ransomware or other malware often have two options: pay a ransom and regain control of their network, or be patient and wait for IT to free the network through backups. These are not reassuring options for healthcare institutions: they are organisations where money is usually spent on those who need it most, and if the waiting period is too long, consequences can be severe. The term 'critical infrastructure' takes on an extra dimension in such environments.
"We have, certainly in the past two years, been working hard to put cyber awareness higher on the agenda," says Goyens. "We regularly consult with DPOs of various hospitals and share best practices - e-health is certainly not unknown to us. The recent hacks of large hospitals (e.g. Tournai and Mol) show that it is really necessary. Of course, every hospital places its own emphasis and we do that by using the Phished platform."
In those two years, the UZA underwent a major change in its cyber awareness policy. Whereas in the past it used traditional means of information such as brochures and the quarterly staff magazine, today it is resolutely going digital. Goyens: "We have been using screensavers on the computers on our network for some time now to quickly disseminate useful information, as well as with phishing and ransomware prevention, but we noticed that a lot of people were still susceptible to these practices."
"Not that we were already experiencing major incidents," Goyens explains, "but we did have small incidents in the past that we were, fortunately, able to fix quickly. As a healthcare institution, however, we did not want to wait for a major hack to befall us. That's why we already did an external audit two years ago: the result encouraged us once again to look for a structural solution."
We rely on the algorithm to train our colleagues; the numbers prove that it works.
Eyes on the problem
At the time of the baseline measurement by Phished, around 30% of all recipients fell into the phishing trap - an average result. In only a few months time, this was already reduced to 8%. Goyens: "So we clearly notice the return on investment. Thanks to the extensive reporting, we have seen the numbers go down week after week, which of course gives us great satisfaction and peace of mind. The recent Facebook incident was yet another confirmation that you have to be very careful with systems, but also with personal data."
A good result on phishing simulations reinforces our feeling that we are taking our responsibility. Moreover, we can now react even more quickly if we notice that an employee, or even an entire department, needs extra support. Furthermore, we rely on the algorithm to train our colleagues; the figures prove that it works."
The UZA is currently working on a centralised security operations centre to make it easier for the various IT services involved in cyberattack prevention to work together. This will allow them to take better and more concrete action in case of potential problems and will also streamline prevention efforts.
Phished plays an important role in the realisation of these plans thanks to the automated phishing simulations, in-depth reporting and automatic staff updating - after all, scalability is an important factor in large organisations.