Case Study - When waiting for a fix, or paying a ransom simply isn’t an option

Antwerp University Hospital (UZA)

Hospitals and healthcare institutions are increasingly being targeted by large-scale cyberattacks. Against this background, the UZA joined forces with Phished, to guarantee cyber awareness training for all employees.

The Challenge

Organisations that are hit by ransomware or other malware often have two options: pay a ransom and regain control of their network, or be patient and wait for IT to free the network through backups. These are not reassuring options for healthcare institutions: they are organisations where money is usually spent on those who need it most, and if the waiting period is too long, consequences can be severe. The term 'critical infrastructure' takes on an extra dimension in such environments.

When hospitals fall victim to hackers, lives are at stake. Technology facilitates modern medicine, but at the same time, it forces such institutions to rely more and more on new techniques to secure their networks. "Every hospital is doing its utmost to make its staff more aware of today's digital dangers," says Filip Goyens, Data Protection Officer at UZA (University Hospital Antwerp), "and we are doing so by putting Phished at the centre of our strategy."

"We have, certainly in the past two years, been working hard to put cyber awareness higher on the agenda," says Goyens. "We regularly consult with DPOs of various hospitals and share best practices - e-health is certainly not unknown to us. The recent hacks of large hospitals (e.g. Tournai and Mol) show that it is really necessary. Of course, every hospital places its own emphasis and we do that by using the Phished platform."

The Outcome

At the time of the baseline measurement by Phished, around 30% of all recipients fell into the phishing trap - an average result. In only a few months time, this was already reduced to 8%. Goyens: "So we clearly notice the return on investment. Thanks to the extensive reporting, we have seen the numbers go down week after week, which of course gives us great satisfaction and peace of mind. The recent Facebook incident was yet another confirmation that you have to be very careful with systems, but also with personal data."

A good result on phishing simulations reinforces our feeling that we are taking our responsibility. Moreover, we can now react even more quickly if we notice that an employee, or even an entire department, needs extra support. Furthermore, we rely on the algorithm to train our colleagues; the figures prove that it works."