Services

/

Security Awareness Training

Compliant with § 30 paragraph 2 no. 7 and § 38 paragraph 3 BSIG

Security Awareness Training for Healthcare

Cybersecurity training for hospitals, clinics, medical care centers, care facilities, pharma, and medtech — one annual core course plus three spotlights per year, with audit-ready documentation in line with NIS2 and Section 38 of the BSI Act.

Free Risk Assessment

Free Risk Assessment

Icon
Icon

THE REALITY

People are not the problem — they are part of the solution.

More than two thirds of all security incidents are caused by human behavior — not out of malice, but because of time pressure, lack of knowledge, or clever social engineering. Well-trained employees are therefore the most effective security layer there is.

68%

security incidents involve a human factor — a misclick, stolen credentials, or social engineering.

€4.88 million

Average cost of a data breach in healthcare in 2024 — highest among all industries, 14th year in a row.

10 million €

Maximum fine under NIS2 for particularly important entities — or 2% of global annual turnover. In the event of a breach of duty, management is additionally personally liable with private assets under Section 38 of the BSIG.

Sources: Tolsdorf, Langer, Lo Iacono — ACM CCS '25, Justus Liebig University Giessen · Check Point Research Healthcare Report · NIS2UmsuCG § 30, § 38 BSIG · BSI Situation Report 2025.

THE REALITY

People are not the problem — they are part of the solution.

More than two thirds of all security incidents are caused by human behavior — not out of malice, but because of time pressure, lack of knowledge, or clever social engineering. Well-trained employees are therefore the most effective security layer there is.

68%

security incidents involve a human factor — a misclick, stolen credentials, or social engineering.

€4.88 million

Average cost of a data breach in healthcare in 2024 — highest among all industries, 14th year in a row.

10 million €

Maximum fine under NIS2 for particularly important entities — or 2% of global annual turnover. In the event of a breach of duty, management is additionally personally liable with private assets under Section 38 of the BSIG.

Sources: Tolsdorf, Langer, Lo Iacono — ACM CCS '25, Justus Liebig University Giessen · Check Point Research Healthcare Report · NIS2UmsuCG § 30, § 38 BSIG · BSI Situation Report 2025.

OUR PROGRAM

Annual core course plus three spotlights.

Two learning formats, one consistently built security culture: a compact core course covering the four most important topics for all employees and new hires. Plus three spotlights per year on current threats, which in the quarters without the core course refresh and expand what has been learned.

Core course · annually · ~20 min

Mandatory for all employees and new hires.

MODULE 01

Phishing & Social Engineering

01

"One Click Too Fast"

Recognize phishing, spear phishing, smishing, vishing, and quishing. The 5-step check: check the sender, hover over links, question urgency, inspect details, verify. Report suspicious emails immediately — before clicking.

MODULE 01

Phishing & Social Engineering

01

"One Click Too Fast"

Recognize phishing, spear phishing, smishing, vishing, and quishing. The 5-step check: check the sender, hover over links, question urgency, inspect details, verify. Report suspicious emails immediately — before clicking.

MODULE 02

Passwords & MFA

02

The Fortress Key

Use a password manager for unique, strong passwords. Never reuse them, and never share them with colleagues. Enable 2FA for critical systems and keep recovery codes secure. If compromise is suspected, change it immediately and report it.

MODULE 02

Passwords & MFA

02

The Fortress Key

Use a password manager for unique, strong passwords. Never reuse them, and never share them with colleagues. Enable 2FA for critical systems and keep recovery codes secure. If compromise is suspected, change it immediately and report it.

MODULE 03

Data protection in everyday clinical practice

03

Protecting Patient Trust

Lock your screen, verify email recipients, and do not have patient conversations in public areas. Verify the caller’s identity before sharing data. Do not take patient data home or carry it privately. Keep your desk clean. Prevent tailgating at security doors.

MODULE 03

Data protection in everyday clinical practice

03

Protecting Patient Trust

Lock your screen, verify email recipients, and do not have patient conversations in public areas. Verify the caller’s identity before sharing data. Do not take patient data home or carry it privately. Keep your desk clean. Prevent tailgating at security doors.

Module 04

Incident Reporting

04

We Protect Together

Recognize warning signs: pop-ups, slow systems, unknown devices. Do not plug in USB sticks from others. Install updates when IT asks you to. In the event of ransomware: disconnect from the network, DO NOT restart, call IT immediately. Trust your intuition.

Module 04

Incident Reporting

04

We Protect Together

Recognize warning signs: pop-ups, slow systems, unknown devices. Do not plug in USB sticks from others. Install updates when IT asks you to. In the event of ransomware: disconnect from the network, DO NOT restart, call IT immediately. Trust your intuition.

SPOTLIGHTS · 3× YEARLY · 1–2 MIN

Refresher on current threats.

SPOTLIGHT 01

2 min.

Don't Pay the Price

Ransomware

How ransomware works and why healthcare is target No. 1. Spread through phishing, tampered downloads, and infected USB drives. Download safely from official sources. In an emergency: unplug the network cable, do not restart, call IT.

SPOTLIGHT 02

1.5 min.

Stay Safe Anywhere

Wi-Fi & Remote Work

Risks of public Wi-Fi networks — fake hotspots, data interception. Never enter patient data on public networks. VPN required for remote work. Maintain screen privacy on trains and in cafés. Secure your home router with a strong password.

SPOTLIGHT 03

1.5 min.

"Pocket Risks"

Mobile Security

Work apps on personal devices: keep them up to date, use a strong PIN. Risk of public charging (juice jacking). Report a lost device immediately — remote wipe is possible. Keep app permissions to a minimum. No photos of patient data.

SPOTLIGHT 04

2 min.

"Trust But Verify"

Social Engineering

Pretexting: fabricated scenarios to get information. Baiting: too-good-to-be-true offers, found USB sticks. Abuse of authority: “I’m from IT, I need your password.” Artificial urgency. Always verify through official channels.

SPOTLIGHT 05

1.5 min.

Beyond the Screen

Physical Security

Badge control: do not let strangers through security doors. Escort visitors without badges to reception. Avoid shoulder surfing — shield your PIN, turn the monitor away. Pick up printouts immediately. Always lock your workstation, even if only for a short time.

SPOTLIGHT 06

1.5 min.

"Keep It Current"

Software updates

Why updates are important: They close security gaps. Know the difference between real and fake update pop-ups. Don’t put off updates when IT asks you to install them. Only install from official sources. Report suspicious update requests.

Legal basis

Training has been a legal requirement since December 2025—for employees and management.

“Member States shall ensure that members of the management bodies of essential and important entities are required to undergo training, and shall require essential and important entities to offer regular relevant training to all employees.” — NIS2 Directive, Article 20(2)

Employee training is mandatory under Section 30(2) No. 7 of the BSIG. The management must regularly participate in cybersecurity training under Section 38(3) of the BSIG. In the event of a breach of duty, the management is personally liable with private assets under Section 38 of the BSIG. Documented proof of training is the direct exclusion of liability.

Legal sources: Directive (EU) 2022/2555 (NIS2) · NIS2UmsuCG of 6 December 2025 · Section 30 BSIG (risk management measures) · Section 38 BSIG (duties of executive management).

Legal basis

Training has been a legal requirement since December 2025—for employees and management.

“Member States shall ensure that members of the management bodies of essential and important entities are required to undergo training, and shall require essential and important entities to offer regular relevant training to all employees.” — NIS2 Directive, Article 20(2)

Employee training is mandatory under Section 30(2) No. 7 of the BSIG. The management must regularly participate in cybersecurity training under Section 38(3) of the BSIG. In the event of a breach of duty, the management is personally liable with private assets under Section 38 of the BSIG. Documented proof of training is the direct exclusion of liability.

Legal sources: Directive (EU) 2022/2555 (NIS2) · NIS2UmsuCG of 6 December 2025 · Section 30 BSIG (risk management measures) · Section 38 BSIG (duties of executive management).

WHO IS IT SUITABLE FOR

For every healthcare facility.

Our curriculum is tailored to healthcare facilities — not generic office environments. Examples and scenarios come from everyday clinical practice, not from finance departments.

Hospitals

Awareness training for nursing staff, medical staff, administration, and IT — compact modules that fit into shift work and everyday ward routines. NIS2 audit-ready documentation.

Learn more

Learn more

Icon
Icon
Medical care centers & practice networks

Standardized training across all locations — centralized reporting, a compact format with no shift downtime in practice. NIS2 audit-ready documentation.

Learn more

Learn more

Icon
Icon
Private clinics

Compact, practical curriculum — quick to implement, low administrative overhead, NIS2 audit-ready.

Learn more

Learn more

Icon
Icon
Pharma & MedTech

Awareness training for pharmaceutical and medtech workforces — with a focus on threats to IP protection, supply chains, and sensitive clinical study and patient data. NIS2-audit-ready evidence.

Learn more

Learn more

Icon
Icon
Care facilities

Adapted to high staff turnover and mobile work devices. Compact format with no downtime, NIS2-audit-ready proof.

Learn more

Learn more

Icon
Icon
Health Tech

Awareness training for Health Tech teams across Engineering, Customer Success, and Support. Phishing resilience, secure handling of customer data, and NIS2 audit-ready documentation.

Learn more

Learn more

Icon
Icon

OUR APPROACH

Training that employees actually do.

The biggest reason awareness programs fail isn’t bad content — it’s length. Mandatory 60-minute courses get clicked through, not learned from. Our approach flips that.

Microlearning instead of a mandatory lesson

Core course about 20 minutes, spotlights 1 to 2 minutes — deliberately kept short. Accessible at your desk, on the go, or during a break. Those who click learn — not those who survive.

Healthcare in Focus

Example scenarios include HIS logins, lab results, shift schedule emails, and privacy at reception. No generic office examples that nobody would recognize in everyday clinical work.

Measurable instead of just checked off

Participation rates, completion rates, maturity level by department. Presented in the report, ready for NIS2 audits. You can see where learning is happening — and where it isn’t yet.

Answers to the most important questions.

Answers to the most important questions.

These are the questions we regularly hear from managing directors, IT managers, and data protection officers in healthcare. Clarify additional questions directly in the free risk assessment.

How does this differ from traditional e-learning?

How does this differ from traditional e-learning?

Who must complete the core course — and how often?

Who must complete the core course — and how often?

What exactly are spotlights — and how often do they occur?

What exactly are spotlights — and how often do they occur?

Does the training meet the NIS2 and BSIG requirements?

Does the training meet the NIS2 and BSIG requirements?

How is participation documented?

How is participation documented?

Can the training be integrated into an existing LMS?

Can the training be integrated into an existing LMS?

Do employees need to be released from work for the training?

Do employees need to be released from work for the training?

In which languages are the modules available?

In which languages are the modules available?

How much does the training cost for an organization?

How much does the training cost for an organization?

Where are the training data stored?

Where are the training data stored?

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Book assessment now

Call: +49 30 863283641

Call: +49 30 863283641

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Book assessment now

Call: +49 30 863283641

Call: +49 30 863283641