Services

/

Phishing simulation

Compliant with § 30 paragraph 2 no. 7 and § 38 paragraph 3 BSIG

Phishing simulation for healthcare

Realistic phishing campaigns based on real-world scenarios from hospitals, clinics, medical care centers, care facilities, pharma, and medtech. Monthly cadence, measurable maturity, NIS2-compliant evidence — without a culture of blame.

Free Risk Assessment

Free Risk Assessment

Icon
Icon

THE REALITY

Healthcare is the main target — and employees are the main entry point.

A recent study by Justus Liebig University Giessen (ACM CCS 2025) simulated phishing attacks against 7,044 email accounts at a German university hospital. The result: around 25% of employees were willing to disclose their login credentials. Within 12 to 24 hours of the first contact. Anti-phishing banners and [EXTERNAL] labels were not enough.

25%

In a real simulation, clinic staff gave away their login credentials. One supposedly genuine employee is enough to gain access.

+74%

Increase in cyberattacks on German hospitals since 2020. Healthcare is one of the three most attacked industries worldwide.

up to €10 million

Maximum fine under Section 65 of the BSIG for particularly important facilities — or 2% of global annual turnover. Important facilities: up to €7 million or 1.4%. In addition, management is personally liable under Section 38 of the BSIG with private assets.

Sources: Tolsdorf, Langer, Lo Iacono — ACM CCS '25, Justus Liebig University Giessen · Check Point Research Healthcare Report · NIS2UmsuCG § 30, § 38 BSIG · BSI Situation Report 2025.

THE REALITY

Healthcare is the main target — and employees are the main entry point.

A recent study by Justus Liebig University Giessen (ACM CCS 2025) simulated phishing attacks against 7,044 email accounts at a German university hospital. The result: around 25% of employees were willing to disclose their login credentials. Within 12 to 24 hours of the first contact. Anti-phishing banners and [EXTERNAL] labels were not enough.

25%

In a real simulation, clinic staff gave away their login credentials. One supposedly genuine employee is enough to gain access.

+74%

Increase in cyberattacks on German hospitals since 2020. Healthcare is one of the three most attacked industries worldwide.

up to €10 million

Maximum fine under Section 65 of the BSIG for particularly important facilities — or 2% of global annual turnover. Important facilities: up to €7 million or 1.4%. In addition, management is personally liable under Section 38 of the BSIG with private assets.

Sources: Tolsdorf, Langer, Lo Iacono — ACM CCS '25, Justus Liebig University Giessen · Check Point Research Healthcare Report · NIS2UmsuCG § 30, § 38 BSIG · BSI Situation Report 2025.

HOW IT WORKS

From kickoff to proof in four steps.

We handle the planning, execution, and evaluation. You get a report that stands up to the board and a culture in which employees report phishing instead of hiding it.

01

Project start

We analyze your organizational structure — departments, functions, workflows — and work with you to define realistic attack vectors. Which phishing emails would an attacker actually use against your organization? The result is an annual plan with monthly campaigns and clear target group segmentation.

01

Project start

We analyze your organizational structure — departments, functions, workflows — and work with you to define realistic attack vectors. Which phishing emails would an attacker actually use against your organization? The result is an annual plan with monthly campaigns and clear target group segmentation.

02

Campaign & Execution

Every month, a new campaign with tailored phishing emails that reflect everyday clinical work: fake HIS warning messages, alleged lab results, supposed roster changes, DocCheck imitations. Delivery is role-based — nursing staff, physicians, administration, and IT each receive specific scenarios.

02

Campaign & Execution

Every month, a new campaign with tailored phishing emails that reflect everyday clinical work: fake HIS warning messages, alleged lab results, supposed roster changes, DocCheck imitations. Delivery is role-based — nursing staff, physicians, administration, and IT each receive specific scenarios.

03

Report Button & Learn-by-Doing

Employees who click a phishing link land on an educational landing page — not on a reprimand screen. Anyone who reports the email correctly receives positive feedback. Our PhishReport add-in for Outlook enables one-click reporting and builds a culture of reporting over time.

03

Report Button & Learn-by-Doing

Employees who click a phishing link land on an educational landing page — not on a reprimand screen. Anyone who reports the email correctly receives positive feedback. Our PhishReport add-in for Outlook enables one-click reporting and builds a culture of reporting over time.

04

Evaluation & NIS2 Evidence

You receive an aggregated management report with click-through rate, reporting rate, maturity benchmarks, and trend analysis across multiple campaigns. All data is anonymized, with no individual-level evaluation. Format: audit-ready, compliant for the BSI and supervisory board, and directly usable as Article 21 evidence.

04

Evaluation & NIS2 Evidence

You receive an aggregated management report with click-through rate, reporting rate, maturity benchmarks, and trend analysis across multiple campaigns. All data is anonymized, with no individual-level evaluation. Format: audit-ready, compliant for the BSI and supervisory board, and directly usable as Article 21 evidence.

WHAT IS INCLUDED

More than a tool — a fully managed service.

Other providers sell you a software license and leave you to handle configuration, content, and reporting. We take care of everything — from the first campaign idea to a sign-off-ready audit report.

Clinic-specific scenarios

Fake KIS password resets, false lab results, supposed schedule changes, DocCheck and eArztbrief imitations. Every email is based on real hospital workflows — not generic office phishing templates.

Role-based audiences

Nursing staff, medical staff, administration, purchasing, IT, and management each receive scenarios tailored to their role. What the ward clicks is different from what the office clicks.

PhishReport Outlook Add-In

Employees can report suspicious emails from Outlook with a single click. Reports go directly to your SOC or IT team, are automatically analyzed, and are included in the maturity assessment.

NIS2 Evidence Reporting

Each campaign provides audit-ready evidence for Article 21(2)(g) of NIS2 and Section 30(2) No. 7 of the BSIG. Trend analysis, benchmarks against the industry average, and recommended actions — ready for the board and the BSI.

Educational Landing Pages

Anyone who clicks on a simulated phishing email won’t see a reprimand — just a brief, factual explanation of how the email could have been recognized. Learning instead of shaming. Available in German and English.

GDPR-compliant by design

Data processing agreement pursuant to Art. 28 GDPR, data stored exclusively in the EU, no individual analyses, automatic deletion after 14 days. No personal reference in management reports. Suitable for works councils.

Legal basis

Phishing training has been legally required since December 2025.

“Member States shall ensure that members of the management bodies of essential and important entities are required to undergo training, and shall require essential and important entities to offer regular relevant training to all employees.” — NIS2 Directive, Article 20(2)

Since December 6, 2025, the NIS2UmsuCG has been in force without a transitional period. Healthcare organizations with at least 50 employees or EUR 10 million in revenue are affected — around 30,000 organizations in Germany in total. Under Section 38 of the BSIG, management is personally liable for breaches of duty — including private assets. A clearly documented phishing training session is direct proof.

Legal sources: Directive (EU) 2022/2555 (NIS2) · NIS2UmsuCG of 6 December 2025 · Section 30 BSIG (risk management measures) · Section 38 BSIG (duties of executive management).

Legal basis

Phishing training has been legally required since December 2025.

“Member States shall ensure that members of the management bodies of essential and important entities are required to undergo training, and shall require essential and important entities to offer regular relevant training to all employees.” — NIS2 Directive, Article 20(2)

Since December 6, 2025, the NIS2UmsuCG has been in force without a transitional period. Healthcare organizations with at least 50 employees or EUR 10 million in revenue are affected — around 30,000 organizations in Germany in total. Under Section 38 of the BSIG, management is personally liable for breaches of duty — including private assets. A clearly documented phishing training session is direct proof.

Legal sources: Directive (EU) 2022/2555 (NIS2) · NIS2UmsuCG of 6 December 2025 · Section 30 BSIG (risk management measures) · Section 38 BSIG (duties of executive management).

WHO IS IT SUITABLE FOR

For every healthcare facility — instead of generic providers.

Our phishing simulations are designed for organizations where cybersecurity directly affects patient care. No off-the-shelf templates — just scenarios that reflect your daily work.

Hospitals

Acute care, specialty clinics, university hospitals. Multi-site organizations with complex authorization structures, shift work, and high staff turnover. NIS2 is especially important.

Learn more

Learn more

Icon
Icon
Medical care centers & practice networks

Medical care centers, group practices, practice networks. From 50 employees, subject to NIS2 — an estimated 1,000 medical care centers affected for the first time. The training requirement is new; the threat landscape is not.

Learn more

Learn more

Icon
Icon
Private clinics

Affiliated hospitals, private clinics, specialized facilities. Often owner-managed with a pragmatic approach to security — training without overhead, audit-ready documentation without enterprise complexity.

Learn more

Learn more

Icon
Icon
Pharma & MedTech

Pharmaceutical companies, medical device manufacturers, and contract research organizations. IP protection is business-critical, supply chains are a target for attacks, and GxP/ISO 13485 audits review awareness programs as well.

Learn more

Learn more

Icon
Icon
Care facilities

Nursing homes and home care services. High staff turnover, mobile devices, sensitive patient data — and increasingly the target of targeted phishing attacks on billing systems.

Learn more

Learn more

Icon
Icon
Health Tech

Digital health platforms, telemedicine providers, DiGA manufacturers. High proportion of APIs and integrations, distributed teams, often targeted through customer service and partner communications.

Learn more

Learn more

Icon
Icon

OUR APPROACH

Simulations should prepare people — not embarrass them.

The Gießen clinic study showed not only that staff are vulnerable — but also that a significant proportion reacted to the simulation with fear, shame, and feelings of guilt. This is not only problematic on a human level; it is counterproductive: those who feel ashamed do not report. Those who do not report increase the risk.

No shaming

Our landing pages don’t lecture — they explain. Not “You failed,” but: “Here are the signs by which you could have recognized this email.” No personal reference in reports. No individual evaluation. No public shaming.

A culture of reporting instead of fear

We measure not only clicks, but also reports—and prioritize the latter. Anyone who reports a suspicious email, whether real or simulated, receives positive feedback. The result: a workforce that actively protects, instead of passively hoping.

Learn at the right moment

At the moment of the click, attention is at its highest. That’s exactly when we convey — in under 90 seconds — the specific warning signs. This has been proven to be more effective than annual mandatory e-learning courses.

"A significant portion of the surveyed employees reacted to the phishing simulation with feelings such as fear, shame, and guilt. These findings highlight the psychological challenges and underscore the need to weigh the emotional costs against the potential security benefits."

— Tolsdorf, Langer, Lo Iacono. "Phishing Susceptibility and the (In-)Effectiveness of Common Anti-Phishing Interventions in a Large University Hospital." Proceedings of ACM CCS '25.

Answers to the most important questions.

Answers to the most important questions.

Quick answers about phishing simulations, regulations, and a typical project workflow.

How often should phishing simulations be conducted?

How often should phishing simulations be conducted?

Are phishing simulations legally permissible and GDPR-compliant?

Are phishing simulations legally permissible and GDPR-compliant?

Does the works council or staff council need to be involved?

Does the works council or staff council need to be involved?

Does the simulation meet the requirements of NIS2 and Section 30 of the BSIG?

Does the simulation meet the requirements of NIS2 and Section 30 of the BSIG?

How much does a phishing simulation cost for a clinic?

How much does a phishing simulation cost for a clinic?

What is the timeline?

What is the timeline?

Why choose Entropy instead of a generic awareness provider?

Why choose Entropy instead of a generic awareness provider?

How do you handle employees' emotional stress?

How do you handle employees' emotional stress?

Where is the data stored and for how long?

Where is the data stored and for how long?

Can we start small and expand later?

Can we start small and expand later?

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Book assessment now

Call: +49 30 863283641

Call: +49 30 863283641

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Book assessment now

Call: +49 30 863283641

Call: +49 30 863283641