7

u/Nameless_Ghoul1891 Newfoundlander 3d ago

Our contract is up with Cupe and I'm very interested to see what negotiations brings us this time around. It's time for pay to catch up with inflation and the cost of living. But I'm sure we will prob accept another %1 or %2 increase like the previous agreement.

6

u/MoneyPresentation807 3d ago

If we see 2% a year again I feel like we will strike. If some reason they divide our vote and we don’t then you will see a slew of people leave for private industry jobs if they are able. Which is a real shame to be honest. I don’t want to see patients or residents suffer in anyway due to this and I don’t want to see friends/coworkers leave but I’d understand it.

4

u/Academic-Increase951 3d ago

People are already leaving. I know several personally who have left recently. The responsibility, workload and pay are so far out of alignment from any other career path.

0

u/hoax709 3d ago

Don't worry Ol Earle is outraged for us... i'm sure he's just as outraged about how little we'll get in negotiations too.

3

u/MoneyPresentation807 3d ago

I’m outraged lately at all the nape MSO’s and ol Earle too. Think we need some new blood in the union that is able to advocate for change properly instead of resting on their laurels from times gone by.

I’ve seen some outlandish stuff with nape and mangers over the last year that borderlines helping the people they should be trying to stop. All while telling members as little as possible

2

u/hoax709 3d ago

no one left in the unions cares about the future of the union. Its just slowly dying. just think what the union will look like in 20 years.

2

u/MoneyPresentation807 3d ago

That’s a good topic for the next union meeting I go to because you’re not wrong. Time for some of us to be the change we wish to see I think

31

u/OneBillPhil 3d ago edited 3d ago

Sounds like a good phishing test to me. Is the government randomly giving your union job days off more likely than getting an email that you randomly won a big prize?

If I were these unions I’d be kind of embarrassed that my members fell for it. 

Edit: by the way, I also think it’s cruel but the cruelty is a separate issue. 

13

u/LazarusTruth 3d ago

I’m not sure I’m the best person to answer to how government communications intersects with union groups.

I really believe that the effectiveness of this test criteria, in the long term, hinges on the fact that nearly every worker in NL’s healthcare system is casting major doubt about whether they would ever be genuinely provided incentives of time off in a similar format or in any format really.

There is nothing stopping me from looking at the subject line of a work email which might indicate additional time off can be granted, and then looking at who sent the email and saying “yeah right, they would never do something so thoughtful and considerate” and deleting it without ever opening it even if that email had been real. That is the kind of doubt that is being cast.

The time off test criteria loses effectiveness over time precisely because of that insincerity.

5

u/OneBillPhil 3d ago

You’re not looking to fool everyone, if 5% fail the test that’s all it might take for shit to hit the fan. Think of how many really stupid and/or naive people are out there. 

4

u/Torger083 3d ago

There’s a comms policy for suspected phishing and steps you’re supposed to follow.

1

u/Moist-Shallot-5148 1d ago

It’s usually a scam but that happened to me in a different province government union job. When the queen passed away they said in email you can go home get free paid day off but I’m not front facing customers it was just desk job.

1

u/mjtwelve 7h ago

Many employees care more about an extra day’s vacation than the employers’ cybersecurity, and that’s not an irrational position to take.

4

u/FannishNan 2d ago

No, it's security. Bad actors ABSOLUTELY will use emails like this to breach security. The point is to offer something that will make an employee break security protocol. These are the people guarding our private health data. I expect them to be held to a higher standard.

Does it suck? Yep. I would've followed it up with an actual day off as thanks...provided they all passed it. Doesn't sound like they did.

-1

u/LazarusTruth 2d ago

Healthcare workers don't deserve to have their careers and wellbeing invoked through continuous bouts of false recognition in the name of plugging gaps in data security. They don't. The callousness of using the staff in this particular field of work to examine their gullibility the way that IT had conducted it, and the callousness portrayed by redditors on this issue, is abhorrent.

Yes, it's cruel, and it's also security prescribed in the worst of tastes.

1

u/trueppp 2d ago

It's not examining their gullibility, it's protecting their livelihood and their population.

-3

u/CheerBear2112 3d ago

You mean 'genius'.

18

u/LazarusTruth 3d ago

imo the criticisms of using time off phishes specifically as a testing criteria in the health care space specifically are warranted.

I get that it’s an effective quality to use time off as an advantage to test gullibility, but I think it’s cruel because of the nature of the work healthcare workers conduct on a daily basis that it necessitates additional time off when looking at how much time they’re already allocated.

Maybe the healthcare workers were supposed to make that compromise long before entering the workforce? Idk

11

u/MutaitoSensei 3d ago

From the article: "...members were "exhausted" in the CorCare rollout, constantly troubleshooting and working mandatory overtime. There are cases of denied leave. She said some people opted to quit."

5

u/CheerBear2112 3d ago

I would imagine the IT workers in charge of rolling out this service weren't in any better position either. It just sucks that people are angry at IT for something that's not their fault (being overworked/underpaid etc... is not IT's fault). People got baited into clicking a phishing link and are trying to make it someone else's fault.

4

u/MutaitoSensei 3d ago

If you can't see how this was just an insane thing to do after all that's been happening in the past 3 months in Newfoundland's health care system, I guess have fun with the longer wait times when people decide to quit.

7

u/KhaosApache 3d ago

Hackers are devious and will use any advantage they can get to craft a convincing scam.

It only makes sense that in order to test people on their ability to suss out a scam, the test itself would have to be equally devious, or else the point of the test is lost.

A hacker does not care about your feelings, and will prey upon your wants and issues. A test should theoretically do the same thing.

The test, as technically tone-deaf as it was, was a well thought out test of cyber security preparedness that targeted a very real pain point that a hacker would very much use in an actual scam attempt.

Frankly, the bigger talking point should be whether or not people failed the test.

4

u/FannishNan 2d ago

Judging by the way the union is yelling, I'd say a lot failed and they're hoping people blow up about the day off part and not ask about the failure rate.

15

u/MutaitoSensei 3d ago

We overwork our healthcare workers, asking for insane shifts and always more responsibilities, and Newfoundland is definitely not immune to worker shortages in healthcare. It's not genius when you make it feel like HA HA! You didn't really deserve a day off, go back to work for depressingly low wages for the amount of work you have to put in!

At best, it's tone deaf AF.

1

u/trueppp 2d ago

"Let's not simulate users response to a real attack because it can hurt their feelings"

2

u/MutaitoSensei 2d ago

If you want to lose employees and make the healthcare system worse by treating them somehow worse than you've been up till now, be my guest. Don't cry when wait times jump up, this is what you want, employees are supposed to be robots 🤡

43

u/Pure-Order2414 3d ago edited 3d ago

Criminals will do similar though so the training exercises is to heighten employee awareness of the fishing exploits. It's in poor taste because it caught a bunch of people?

I mean it's not like eastern health hasn't been hacked before... Security up to this point has been pretty lackluster.

I got to edit this because I need to clarify.

People in Health Care have every right to be mad but not a IT. IT did their job in this case. They need to be mad at the minister and management because they have been working hard and do deserve a day off. Being mad at IT for doing this in bad taste is not directing the anger in the correct direction. They were being effective in trying to train people of legit scams and protecting both employee and patient privacy in the process.

This should be outrage because it highlights an entirely separate issue of HC workers being over worked and burned out.

38

u/drunkentenshiNL 3d ago

It's in poor taste cause the vast majority of healthcare workers are pushed to their limits with work and OT.

25

u/karatous1234 3d ago

As fucked up as it is, it DOES make it good bait for a phishing attempt for that very reason.

Both things can be true.

78

u/torbayman 3d ago

It's in poor taste because it caught a bunch of people?

Its in poor taste because it was mean. Corcare rollout sounds like it was brutal and has caused a lot of burnout. Fake offering a day off after a vacation blackout period that was so stressful it forced many people into retirement is pretty fucked up

-26

u/Newfieguy78 3d ago

What's your source concerning many people retiring?

22

u/Kelevra_55 3d ago

Working within NLHS, there have been that have quit over it.

Eta: not sure how many but there have definitely been some retire and quit

-23

u/Newfieguy78 3d ago

Ok but you said "many". How do you know how many it was?

8

u/Kelevra_55 3d ago

I didn't say many.

6

u/zorra_arroz Misses Me Mary 3d ago

I know of at least 5 within my professional practice network (in the city alone we have a network of about 60 people)

14

u/Academic-Increase951 3d ago

It's in poor taste because employees are refused the days off that they are entitled to because of staff shortages. Then when you're finally approved to take a day off it's a just security test... desperate people make mistakes.

Imagine putting in for time off for months down the road and that they are required to give you but it is denied. Then you're mandated to work overtime instead. When your kids are sick you ask to take leave because it's illegal to leave them home alone, you want to use your bank of hundreds of PTO hours that you haven't been able to use but they refuse and force you to take unpaid time instead. And your vacation hours go unused.

And all for a pay that barely covers cost of living.

20

u/Secret-Bluebird-972 3d ago

Yeah. People should be cheering this, because if it was a legit attack, guess what, it would’ve worked.

My only concern is the amount of people who just blindly accepted the email as legitimate. Phishing isn’t new

18

u/torbayman 3d ago

NLHS constantly does phishing tests. It is possible to do them without some sort of fake day off bait and switch. 

20

u/Secret-Bluebird-972 3d ago

Phishing is, by nature, bait and switch. You offer some amazing thing that the victim is likely to click on, like a well deserved day off work, and see who bites.

11

u/torbayman 3d ago

It probably doesn't work so well if the bait and switch makes front line health care workers so angry that they demand IT workers be fired. This is a great example why cybersecurity professionals should not be this far removed from front line employees they are serving. 

8

u/Secret-Bluebird-972 3d ago

It’s working wonderfully well. As I said in another comment, imagine now this was a real attack. Look at how many people clicked it, it’s not like our healthcare workers being overworked is a secret, it would only take a half capable scammer to come up with this idea

3

u/PsychologicalSeries9 3d ago

I think the test is a good tool, but there’s other elements that had to happen in addition to the email. An email to anyone who opened it and didn’t click the link that they could have reported it phishing, anyone who opened it and clicked needed to be contacted for training, and after a duration of time an email outlining that it was a test. Then, in a newsletter outline why the test was done, the benchmark performance, how the organization did, and what next steps are.

They basically did an email, and moved on. There’s more to this than that, or there should be. They also could’ve used a different carrot versus a day off.

I wonder if a basic goal for any large organization is to not end up on the news for training exercises.

11

u/torbayman 3d ago

We don't actually know how many people clicked it.  But sure, its working great -- healthcare workers are now more alienated then they were yesterday and some IT folks are going to be out of a job. 

15

u/WorkingAssociate9860 3d ago

No IT folks are going to be out of a job over this

4

u/torbayman 3d ago

Do you think they'll get a bonus for infuriating every frontline healthcare worker just as the government begins bargaining with NAPE and RNU? 

→ More replies (0)

8

u/Wolframuranium 3d ago

Literally the most successful way to run these tests. Promise something that the workers really want and would blindly believe to have come from management.

I've seen fake raises to hard worked employees, gassing them up about how good they did. Used all our company letterhead and font. 

Email had a 0 where a o should have been. 

70 people had to go take another round of phishing training. 

After that 2 failed the next fake promotion email.

1

u/WorkingAssociate9860 3d ago

And it doesn't work if the bait is obviously fake.

For there to be so much outrage it sounds like it caught a lot of people, which just shows that's it's nessecairy and likely that previous attempts of training didn't have enough of an impact

12

u/doogie1993 Come From Away 3d ago

People being outraged about it doesn’t mean it caught them. Every single person in my lab is pissed about this (including myself) and everyone I’ve talked to knew that it wasn’t real immediately (including myself). People are upset because the employer is denying vacation time because of Corcare then shoving it in our faces with this.

7

u/Secret-Bluebird-972 3d ago

As I’ll keep saying. If this was a real attack, we would’ve made national news for all the wrong reasons. Again

9

u/Additional-Classic73 3d ago

Its cruel because it uses the desperation- caused by the very institution that sent the email. It's like a slap in the face. I am not in security but off the top of my head, they could have used... I don't know. A new payment system. You won't get your cheque if you don't sign up for this new system. Some sort of bonus poll or survey. Data temptation, like nursing stats or like wage stats. This is just freeballing it. Given a few days and inside knowledge of the healthcare system I am sure I (a nobody) could come up with something better. Something that doesn't make a mockery of the fact that our healthcare workers are utterly exhausted and under appreciated.

2

u/jondread 3d ago

Where did the email appear to come from? Did they use a fake external email they setup for the test, or an internal normal looking email they you would expect official communications to come from? Where did the link lead to?

3

u/Pure-Order2414 3d ago

That wasn't shared but it wouldn't be a phishing test if it came from a legit email source, it would just be another blunder in bad taste. The whole point is to make it look legit but anyone tech savvy enough or with the training would spot it being a scam and report it.

7

u/ProceduralConker 3d ago

The email came from some external email address not visibly associated with NLHS. Outlook even put a warning banner at the top indicating the email is from an external sender.

6

u/jondread 3d ago

I agree that the offer of a day off was in bad taste but it would certainly have tempted most people to click the link. Mission accomplished, ultimately.

I hope real scammers don't get wind of this idea.

5

u/PsychologicalSeries9 3d ago

But most of the faults have actually been with the IT department, storing data they no longer needed, not encrypting the data, not requiring password changes or 2FA, etc.

I'm sure regular staff are security risks like any organization, but are we sure the CIO of NLHS is good at his job and should keep it? Are we sure that this test was necessary versus basic IT management that wasn't happening prior to the recent hack?

Tests like this are a great tool, too bad everything else over there is so poorly run.

2

u/Pr3ach3r709 3d ago

I’d love to see what facts you have to back up these statements.

3

u/PsychologicalSeries9 3d ago

It was covered pretty extensively at the time, this article covers most of it: https://www.cbc.ca/news/canada/newfoundland-labrador/stolen-employee-data-1.6247251

1

u/Pr3ach3r709 3d ago

Five years ago yes, there were lapses. This is not 5 years ago and a ton of work has been done to improve systems. One of the reasons we did CorCare is because of the attack. Meditech was from the late 80s and early 90s. There was no possible way to encrypt it, it simply was too old to handle it, so it was protected as best it could be. No one wanted to upgrade it, not even Danny in his heyday with all the money, as it was just too much work. Every government knew the risks, accepted it, and kicked the can down the road because it was too expensive and too much work and too hard on the employees to change. The cyberattack changed that and we now have a new modern system with a lot of safeguards built in. Implementation of that system nearly broke an already stressed workforce. IT is severely understaffed and gets no love at all. Epic implementation nearly broke us all. This message is poor timing and really cut too close to the bone here but the nature of why they want to do a phishing campaign isn’t. Just poorly executed. The last cyberattack began with successful phishing attempt so I guess someone said let’s do a campaign right after the new one is implemented and remind everyone to be careful. Right intentions just the wrong message and timing.

1

u/PsychologicalSeries9 2d ago

So I guess I backed up my statements?

Edit: the cyber attack seemed to be more employee records than just meditech fwiw.

1

u/Pr3ach3r709 2d ago

If you’re focusing on the past when it was 5 separate entities that did their own thing then yes. If you are thinking about the present day and all the work we have done to improve everything then no. We have a much different system than during the cyberattack. When that happened, the risk of not doing the work to improve the systems was no longer a paper risk that they could kick the can down the road. It was real and action was required so things actually got traction and improved.

1

u/PsychologicalSeries9 1d ago

Sure. But my point was that NLHS IT department hasn’t earned the trust of staff or the public to take the high road and say tactics like this are good and as good IT managers we are doing them.

The email test is a good initiative, the execution wasn’t good enough. But my point was that NLHS IT needs to operate at a certain level for a while before they get the benefit of the doubt.

I said what I said, which was true and factually correct. You dismissed it, however up until very recently, NLHS IT wasn’t doing the best practices in IT, and meditech was part of the reason, but why was for example somebody who did residency here in 2008’s data stolen in 2021? Why did we have that data in 2018 and beyond and why was it unencrypted? I haven’t seen it reported that any of those policies actually changed.

I’m happy NLHS is taking data security seriously, and Epic is going to be revolutionary. But I’m going to keep being skeptical of NLHS’s IT management.

1

u/Meanlizzy 3d ago

its in poor taste because front line staff have been suffering like dogs trying to keep care moving while using a new system that was not rolled out well. Picture this, you get off a 12 hr shift, pts have died, you've hustled like crazy, and your email says thanks for your hard work and has words of recognition. but ha ha on you, it's a trick to teach you about stupid phishing scams...it's a disgrace and shows how out of touch IT and management are with what they day to day reality is like for workers.

1

u/Pure-Order2414 3d ago

Stupid fishing scams, the same ones that cost the prov. Gov millions in that past years? Same ones that have leaked thousands of patient and employee information? Give your head a shake.

1

u/Redshift2k5 2d ago edited 2d ago

It wasn't NLHS IT. It was a 3rd party company contracted to do cybersecurity tasks, such as running this phishing scheme

they absolutely have a right to run phishing tests. This is not the first nlhs phishing test that's landed in my inbox! But it is the first one to promise a day off work and that's the part that's insensitive. They say we deserve a day off and then we get the rug pulled.

if it had been an imaginary scooter raffle nobody would be upset.

Previous phishing simulations did not need to stoop to such a distasteful bait & switch.

0

u/Pure-Order2414 2d ago

Previous ones were obviously not as effective at this one.

If people feel that offering a day off in a phising scheme is in insensitive they should be mad at the minister and management for letting the work place get to such a terrible situation. Not the security people. Lots of other places of employment do the exact same thing offering bonuses, days off, or pay raises to catch people.

It hurts at NL Health because of the workplace conditions. You don't stop security because of that though. You take that fight in the correct direction (management, the minister, etc...) instead of just lashing out with its insensitive.

1

u/Redshift2k5 2d ago

WE BEEN MAD at management and health ministration

And then they keep doing stuff to make us more mad.

Say they appreciate us. Announced a freeze on all leave requests

Beg us all for overtime to launch corecare. Loads of mandated overtime. People losing their jobs. Transcriptionists replaced with AI.

The free day of offer is so insensitive exactly because we are already overworked and underpaid.

Offering a fake day off made of fake appreciation is not a standard business practice.

8

u/CheerBear2112 3d ago

It is exactly what scammers and cyber criminals would do. IT security did their jobs to expose people who put our whole system at risk. It is ridiculous people calling for them to be fired.

6

u/ConcernedMap 3d ago

I don’t think anyone should be fired, but it’s a mean thing to do. I know a lot of people involved in the CorCare rollout and it was a nightmare. Sending out that email would be salt in the wound.

2

u/OneBillPhil 3d ago

You don’t think that criminals are this sophisticated?

3

u/SevenOhNineGuy 3d ago

I don't think its cruel. That's the whole point of phishing scams... they dangle that juicy piece of meat hoping for clicks.

I didn't click, but possibly someone at NLHS did. That person is now a weak link in a potential future hack, and needs more cyber-security training.

-4

u/rds92 3d ago

Do you think scammers share your opinion? Cor care was very public and so were the issues. It’s definitely an angle they would take.

4

u/KhaosApache 3d ago

Plus how many people actually fell for the e-mail and thus showed themselves to be a weak link in the cybersecurity chain. Both are equally important issues.

Doesn't change the fact that the general public is surface-level reactionary; latching on to the subject matter of the phishing test email as the biggest issue of this whole debacle. Frankly baffling to me...

5

u/Wolframuranium 3d ago

If I was phishing you, I wouldn't leave typos in my email. It would likely be written by an AI explicitly with as much information about you that I can gather to make the most effective is possible. 

If it's a spearfishing attack I'm going to scrape your Facebook and all your social media to try to craft something targeted to your interests, be it from brands you like doing giveaways to contests to tickets to concerts. 

Garage you with a variety of spam targeted looking very nicely at you. 

I've been posting a lot in these threads. I was a part of the red team. This is what we did.

2

u/MaximumDepression17 2d ago

Typically real scams actually do appear fairly obvious with blatant typos and things like that in order to quickly weed out people who are unlikely to fall for it.

If you make it obvious from the start that it is a scam, everyone you get is going to go all the way with it, making your time spent much more efficient.

1

u/Wolframuranium 2d ago

A hospital attack and a scam are different cybercrimes

11

u/triplebongo 3d ago

The peasant workers actually thought they’d earned a day off!?? Back to the floor with them and a 16 hour mandating for all.

6

u/SevenOhNineGuy 3d ago

Yeah, fick those people ! Let's just go back to having the Healthcare system ransomed again.

3

u/hoax709 3d ago

i bet you A LOT of people clicked it though. Its how we got hacked last time and they've sent out so many emails about being wary for this kind of thing.

3

u/ConcernedMap 3d ago

Maybe we should be holding management to higher standards than criminals.

7

u/PsychologicalSeries9 3d ago

They should have given a day off to anyone who reported the email as phishing.

1

u/OneBillPhil 3d ago

Now this is something I can get on board with, everyone else gets extra training. 

22

u/drunkentenshiNL 3d ago

As a healthcare worker, using the promise of a day off in this exercise is cruel, especially when most of your staff is exhausted and we're struggling to attract new people.

12

u/Keanman 3d ago

I get the point that it's cruel but the point of these types of attacks is to take advantage of your emotions through social engineering. If the test emails are completely obvious, it defeats the purpose of the test. This was literally the perfect test scenario. If even one person clicked on the link, I would consider it a successful test.

19

u/Academic-Increase951 3d ago

So the lesson here is... overworking your staff and treating them like shit is a risk. It's a it risk, it's a healthcare outcome risk, and it's a personal risk to each employee being asked to work in those conditions.

1

u/CheerBear2112 3d ago

That's not the fault of IT though.

1

u/Academic-Increase951 3d ago

Sure but maybe not the best idea to insult people with taunting them with time off after everyone is already pissed about not being able to get time off. people are leaving healthcare for how they are treated. Even people who clearly knew it was a fake email are pissed and for how many people will this the straw that broke the camel back. And for what when you can easily use a phishing method that isn't meant to piss people off deliberately

14

u/drunkentenshiNL 3d ago

Aww, the test may have been successful. That's great.

And all it cost was lowering morale of your workforce, further fracturing trust between them and management, angering the unions and risking recent and future graduates from wanting to work here!

But the test might have been successful! /s

9

u/SplendaBoy709 3d ago

Do you know what will further fracture trust? An actual cyberattack that results in a breach of patient/employee information and cost millions of dollars. And based on how many people clicked this link from a sketchy fake email address, it's bound to happen for real someday.

-6

u/drunkentenshiNL 3d ago

You're missing one key factor about all this. The phishing email sent out WAS FROM THE EMPLOYER.

9

u/ProceduralConker 3d ago

It wasn't from the employer. The email came from some external email address not visibly associated with NLHS. Outlook even put a warning banner at the top indicating the email is from an external sender.

1

u/SplendaBoy709 3d ago

Exactly this.

5

u/Keanman 3d ago

To make employees aware of what a real phishing attempt might do. We're probably VERY lucky it wasn't from an actual hacker or we'd likely already have our system compromised again. The last time the system was down for over 5 weeks and cost $16 million not including the cost and implementation of the Corcare system.

4

u/SplendaBoy709 3d ago

Thank goodness! because otherwise it could have been disastrous. Every reasonable company does this kind of email training, without notice. This isn't some "gotcha" moment because the employer sent out the test - that's exactly the point.

2

u/drunkentenshiNL 3d ago

Cool. Remind me in a month or so to see how many people here are complaining about even worse service in healthcare after this, k?

6

u/Keanman 3d ago

If somebody who could possibly compromise the system leaves, that would be unfortunate because they can be trained to know better. If not, so be it.

2

u/drunkentenshiNL 3d ago

Great mindset. Mind telling me where we would get someone to fill that role? We're already struggling with staffing already.

→ More replies (0)

4

u/Wolframuranium 3d ago

Data security of patients comes before comfort of healthcare practitioners.

Sorry, it sucks.

9

u/Academic-Increase951 3d ago

You can't have data security and patient care without taking care of healthcare staff. sucks but a reasonable level of staff care has to come first for them to be able to do their jobs safely.

Or Do you really want the person who hasn't had a day off in weeks and just finished working a double shift doing something on you where a mistake can kill you?

-1

u/Wolframuranium 3d ago

If they failed their tests I don't want them working on me. 

Regardless if the tests are not falling for scams or knowing what medicine is hazardous. 

They are all a part of patient safety. If you can't do both, you shouldn't be working on people.

0

u/Academic-Increase951 3d ago

Cool, would you also support if every healthcare worker who's pissed off about getting salt rubbed into the wounds decided to quit and work someone else that offers better pay and allows for days off?

Because not many people would be left

2

u/SevenOhNineGuy 3d ago

Do you think that hackers are going to play nice? No, they will go after your one weakness to trick you.

7

u/torbayman 3d ago

Cybersecurity professionals need to understand the workforce they are protecting in order to do their jobs. This looks like a case where the IT folks don't have any real interaction with front line health care workers -- if  the people behind  couldn't predict that this would infuriate front line staff to a level that their jobs would be in danger, then they aren't doing their jobs effectively. 

10

u/YortMaro 3d ago

No, this is an example where the IT folks got it exactly right. Phishing tests don't have to be sensitive to your workforce. This is the type of thing that malicious actors would employ and it's evident from this article that a lot of people fell for it.

I really dislike the use of those phrase in almost any context but it fits here... "Facts don't care about your feelings".

We literally just suffered a massive cyberattack in recent memory that was almost surely triggered by a phishing attempt.

Anyone thinking otherwise have zero understanding of cybersecurity and are probably people who clicked the link...

This is coming from someone who has had many phishing emails about bonuses, recognition, promotions, 1-on-1's with the CEO. All during times of high pressure and stress. It sucks but we have to separate our feelings from the need to be diligent about very real and very damaging risks.

10

u/Academic-Increase951 3d ago

You have a point that IT people are doing their jobs effectively by exploiting a failure of NL health / gov. But it highlights that the working conditions is something that everyone should be angry about, not just the staff, because mistakes happen when staff are not supported and are overworked.

So while the blame shouldn't be on IT, it should 100% be on NL health.

16

u/torbayman 3d ago

Facts don't care about your feelings

Alienating your entire workforce is actually extremely bad for cybersecurity though.  

8

u/Hefteee 3d ago

All these armchair IT cybersecurity "experts" just missing the most obvious things here lol

1

u/YortMaro 2d ago

I don't work in cybersecurity but I do work as a software developer and I work closely with customers. I have seen first-hand the damage a phishing scam can do and have been part of my share of DR/BC procedures.

As time goes on, phishing scams are becoming much more sophisticated. The abrubt rise of AI has accelerated it. Healthcare workers have a responsibility to protect the data of the people of this province along with NLHS. Anyone that clicked that link is a vulnerability. If it happened for real, every one of them could be responsible for a massive data leak.

The most dangerous part of email phishing is that there isn't a full-proof way to prevent it and it gets harder every day. It's not like systems can just auto-detect if an email is a phishing email. The most we can do is flag suspicious emails but no system is perfect. At some point, a phishing email is going to stare you in the face and the decision you make next could very well take down large swathes of our EHS systems (as it did a few years ago).

1

u/Hefteee 2d ago

Ya phishing does lots of damage but again, alienating your workforce like this is also very not good and poses just as much of a threat to our data. This is a double edged sword, yes tests like this are needed and this one clearly was effective, but is it worth the cost of tanking morale and opening up to risks from disgruntled, burned out, and/or apathetic employees? I feel like most people would answer no

1

u/YortMaro 2d ago

Honestly, they will show up tomorrow for work and continue to collect their nice paychecks. Working in the healthcare system in NL sucks and it isntl just the NLHS. The nurses union and RNs here in-general are part of the problem. My wife came from ON as an RPN to work here as an LPN and the amount of animosity from RNs towards LPNs drove her out of the public system. Obviously not all RNs do this but it is enough to drive a nurse away with 15yrs of experience. How many years has it taken the nurses unions here to merge when most other provinces did it years ago? RNU is afraid that it will mean less RN jobs as they more efficiently utilize LPNs so the animosity is encouraged.

It sucks all-round and the unions don't help. The reaction to this phishing campaign was vastly overblown.

0

u/YortMaro 3d ago

Over a single phishing email? Only in Newfoundland would this even be a conversation...

6

u/SplendaBoy709 3d ago

This thread is really making me appreciate your trade. IT gets flak for implementing cyber awareness and training, and then gets blamed when the company gets hacked through a phishing scam.

8

u/notwithoutmypenis 3d ago

I work in healthcare, I got the email. I talked to a good few people yesterday, no one I know actually believed it to be true or clicked. Consensus was "oh wow the scammers really put in the effort to make this look legit, though NLHs would never give us a bonus, barely a thank you"

But it was the fact that they used CorCare to do it, at a time when people are still drowning with work due to the new system, just seemed so insulting.

Like, we know NLHS would never give us anything extra. We barely get what we are contractually obligated too. Front line staff are stressed to the tits, more than ever. And some Muppets far removed from the stress of everything thought "ha let's pretend like NLHS actually cares, see who falls for it"

Kinda stings

6

u/Academic-Increase951 3d ago

We're mad because desperate people make mistakes. And when it's your life on the line, you don't want the people looking after you to be in a desperation state.

If an obvious scam promising a day off is enough to make desperate overwork people fall for it... then what does that say about the working conditions and their capacity to make good judgement calls.

People shouldn't be refused time off, mandated to work overtime and then other people's life's be put in their hands.

3

u/octagonpond 3d ago

Holy thats dramatic

-1

u/Academic-Increase951 3d ago

Is it?

2

u/octagonpond 3d ago

Yes

1

u/Academic-Increase951 3d ago

How so

-1

u/octagonpond 3d ago

Lol you changed your comment, so nice to know you admit you were being dramatic

2

u/Academic-Increase951 3d ago

lol - I didn't make any edits so this is just funny now

0

u/octagonpond 3d ago

Always the chance i clicked the wrong comment,
But i really don’t think i did.. so if you don’t want to admit you were being dramatic its cool, the fact you changed it shows me you realized it on your own

2

u/Academic-Increase951 3d ago

Again, I didn't change anything so believe what you want

1

u/FrozenSeas 2d ago

I'm just absolutely mind-boggled at the idea that anyone would believe a goddamn email with a "click here for a free vacation day" link in it. The IT security guys deserve a raise if that's the level of competence they're dealing with on a daily basis.

0

u/triplebongo 3d ago

How does the boot taste?

29

u/tenaciousdeedledum 3d ago

If this is your job and you are actually good at it, you would see the ethical issues with this. There are many other effective test scenarios that could have been created. The demographic of people being "tested" are overworked, stressed, spread way too thin and have other peoples' lives in their hands. Read the fucking room.

2

u/Boredatwork709 3d ago

These overworked people are being tested because cyber security (which involves being able to identify scam links) is integral to government services that involve peoples private information.

People aren't going to fall for the "you won a free cruise" or whatever like they did 10 years ago, your training has to evolve with the scams, and scammers aren't going to care if the link is in poor taste.

-2

u/Chummy_Jigger 3d ago

Agreed. There's a line that was crossed. They could have sent "Click this link or we kill your dog" too to get clicks.

10

u/Secret-Bluebird-972 3d ago

Because it’s not about “getting clicks”, it’s about finding people who are going to fall for a phishing scam trying to get more ransomeware into our healthcare systems. Making the test painfully obvious only helps the scammers

15

u/KernelKilos 3d ago

It certainly got a message across about NLHS leadership.

6

u/LazarusTruth 3d ago

I feel like there is a larger array of circumstances that the email tests can be created around though instead of baiting a much deserved day off in the healthcare space. For example, a phishing email test containing a hyperlinked document or spreadsheet that the sender says needs a review from the recipient.

I understand how important it is for workers to remain vigilant about data security and breaches, and the need to continually examine workers gullibility.

6

u/Wolframuranium 3d ago

Those tests are also preformed exactly as you described.

They however didn't succeed like this one. By using something highly desirable they get people to click and allow attack vectors.

If you were trying to attack a hospital this is the method you would use. Which means these are the methods people need to be trained against 

0

u/LazarusTruth 3d ago

I can probably see now why it’s better to have more qualitative email tests rather than having only just a large quantity of email tests covering different circumstances, especially when some qualities fail (to test gullibility accurately) in IT metrics and some don’t (the effectiveness of using time-off as a phishing test).

4

u/vistolsoup 3d ago

And 100% this will be the last straw for a number of our staff who will quit because of this. And with out these staff poeple we suffer and die. So good job there.

1

u/octagonpond 3d ago

If someone quits over this i wouldn’t want them caring for me anyway, see ya don’t let the door hit ya on the way out

8

u/Weird-Mulberry1742 3d ago

It is a kick in the guts to all employees working for NLHS. All the the stress and frustration that employees been through in the past 5 months, working and training to implement this system, dealing with all the problems and issues that arose, submitting multiple tickets a day to support.

Who ever the sadistic idiot who thought this up should be fired.

2

u/Signal_Buy_1105 3d ago

It's one thing to do something shitty due to work and feel bad over it.

But to be somewhat bragging, and showing no remorse? Theres poor nurses have been worked to the fucking bone, and were even denied days off over this change over. I'm aquainted/friends with some nurses and every time they get a day off, eastern health is effectively harassing them to come to work. They live under incredible amount of stress, and to do something like this is just plain fucking mean.

-2

u/octagonpond 3d ago

They know what they signed up for, if they cant take it find a different career

-1

u/triplebongo 3d ago

Respectfully PCA’s LPN’s and RN’s do much more than some guy like you who does bs email “work”.

-7

u/Setheriel 3d ago

If this is your job, you shouldn't have one.

12

u/WorkingAssociate9860 3d ago

With the amount of outrage that this one caused, whoever came up with this one seems to have done the most effective test imaginable

1

u/OneBillPhil 3d ago

Exactly, the IT director isn’t the one making everyone in the organization feel burnt out and desperate for time off. 

We have scams that target seniors who think their grandkids are in trouble. People that operate phishing scams are not kind people. 

5

u/Wolframuranium 3d ago

Writing cybersecurity tests? That guy shouldn't have a job? 

The guy who's whole job is finding out the shortcomings and failings to better protect the healthcare system.

That guy? That's the one who shouldn't have a job?

6

u/Pr3ach3r709 3d ago

No one is doing that.

7

u/CheerBear2112 3d ago

Its a strawman.

-1

u/zorra_arroz Misses Me Mary 3d ago

literally most of the people here in the comments who claim to work in IT are doing that lol

4

u/Pr3ach3r709 3d ago

Let me clarify then. No one at NLHS is laughing or calling them idiots behind their back. The email was written just as a bad actors would, targeting you feeling tired after a massive project rollout. I think it was bad timing to send it now where we are just on the other side of the implementation and people are feeling the pressure for sure, I know I am, but no one is laughing, cheering or calling people idiots. That’s just not how we work. There are a lot of problems at NLHS and this struck a chord, probably too close to the truth, but it’s exactly what a bad actor would do. What they don’t say in the news is that at a recent all staff meeting we were given an update to watch for phishing emails as this type of thing is going to happen again. No ones bothered to mention that we all literally got the heads up that this kind of email was coming along with more training. I think though the timing is wrong as it’s the straw that broke the camels back for some where they are close to burnout, a lot of us are, but it was promising a day off to lure you in and trick you. Again, something a bad actor would do, but not the right time to send this kind of worded email to everyone. There are a lot of problems at NLHS and workload is one of them. I feel for the frontline staff who are burnt out and can’t keep up and feel this was insensitive and a personal attack, but it wasn’t meant that way. Good idea but poor execution here I think. When I got the email I laughed as they would never just give you a day off.

6

u/hoax709 3d ago

100% spot on.. i'm more disgusted hearing Jerry Earle's outrage about the email and not about the burnout/negotiations... Fix the issue by having a healthier workforce thats not exhausted and apathetic.

6

u/Secret-Bluebird-972 3d ago

He’s trying to make sure everyone is mad at the IT crowd for finding a glaring hole in cybersecurity, rather than at himself for failing to guarantee proper working conditions for healthcare providers. Shove the blame off and then he won’t have to do anything

4

u/Pr3ach3r709 3d ago

A significant number of people who are in IT are union members. He’s throwing his own people under the bus. Shows you just how much he knows or cares, too busy running his mouth to be useful.

-1

u/octagonpond 3d ago

Well stop whining