Skip to content Skip to navigation

When In Belgium… OK, Time to Rethink Phishing Drills

July 26, 2015
| Reprints
What managers in the Flemish regional government in Belgium learned when they tried to test employees for phishing vulnerability
time for some delicious waterzooi...?

It was very interesting to read in NetworkWorld about a Belgian regional government IT security drill gone awry.

As the July 22 report noted, “Belgium’s Flemish regional government sent a mock phishing email to about 20,000 of its employees to see how they would react.  The email purported to be a booking confirmation from Thalys for a trip from Brussels to Paris, including a stay in a fancy hotel. The cost—almost 20,000 euros (about $22,000) would be charged to the recipients credit card unless the person cancelled within three days, the email said. To cancel the trip, the email instructed recipients to send their credit card information to Thalys, the regional high-speed train company, Belgian media reported.”

Well, the Flemish regional government employees started calling Thalys to complain, leading to the bewilderment of its staff, as the government had neglected to inform Thalys of the drill, and nobody in the company’s call center knew what was going on.

Frank Geets, the Flemish government’s administrator-general for facility management, admitted that he and his colleagues had made a mistake. “We made the mail as realistic as possible and used Thalys’ logo. But actually we did not have their permission to do so,” he told the Flemish news channel VTM, adding that the government has apologized to Thalys for “being a bit overzealous.”

So, clearly, this phishing exercise went awry. Yet the fundamental concept behind it was a good one. Indeed, as Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm told those attending the CHIME Lead Forum in Denver last week, healthcare IT leaders need to engage in phishing tests of their organizations’ employees to get a sense of the danger of phishing (they obviously just have to make sure they’re better controlled than the Flemish regional government’s experiment!).

As McMillan pointed last Monday, it is dispiriting to find that, inevitably, very high percentages of staff members and clinicians at patient care organizations do in fact open phishing e-mails. In fact, he said, when his firm manages such exercises, “Probably about 42 percent of e-mails are opened when we do the exercise of phishing attack testing. And an additional 60 percent of those who open the e-mails, provide the information asked in those messages.”

McMillan also cited some of the results of a cybersecurity survey released on June 30 by the Chicago-based Healthcare Information and Management Systems Society (HIMSS), which found considerable alarm among healthcare IT leaders nationwide over data security issues. Among numerous findings in the survey was this:  “The top motivators for improving information security environments included results of risk assessments and concerns about phishing attacks and viruses/malware.”

Interestingly, as McMillan noted, that HIMSS cybersecurity survey found respondents citing the following as the biggest barriers to improving data security: “lack of personnel” (64 percent); “lack of financial resources” (60 percent); “too many emerging/new threats” (42 percent); “too many endpoints” (32 percent); “not enough cyber threat intelligence” (28 percent); “too many applications” (25 percent); and “lack of tools to use/deploy cyber threat intelligence” (20 percent).

McMillan went on to note how concerning it is that large numbers of staff and clinicians at hospital, medical group, and integrated health system organizations continue to regularly open phishing e-mails. What does this mean? On a very simple level, it means constant training and retraining of all staff and clinicians. Everyone in healthcare today is very busy, and it can be incredibly easy to open, and even respond to, phishing e-mails. Even IT professionals do it, McMillan noted. So a lot of the solution is not purely technological, but rather process-driven.

What’s more, the phishing phenomenon is taking place in the context of a much broader set of threats, including malware, external hacking, and other forms of criminality, as McMillan noted in his keynote address at the CHIME Lead Forum.

So the question is, what are you doing to address the phishing threat in your organization? Clearly, it can’t simply be a one-off, one-time test; it must be a process-driven set of actions and solutions that engages everyone on staff and all clinicians. This is particularly so given how that threat is now coming in the context of increased mobility (thus, mobile devices are unavoidably involved), cloud-facilitated storage, and ever-expanding health information exchange.

Clearly, one must avoid making blunders in the way that the folks at the Flemish regional government did in Belgium this year. At the same time, there are no easy shortcuts, either. So the next time you enjoy waterzooi (the Belgian national dish), mussels, or steak frites (and yes, French fries are actually Belgian in origin), please also consider the possibilities inherent in intelligently testing your staff and clinicians for phishing vulnerability. And consider the lessons they’ve learned. Because the stakes are high, and getting higher by the day.