Training staff at smaller organizations about important privacy and security issues can prove challenging. In addition to being time-consuming and potentially costly, the material can often be tedious and boring.
See Also: Rethinking Endpoint Security
That's why it's great to see a federal agency offering a free, easy-to-use training program that simulates a game environment and provides useful insights with a light, entertaining touch.
The game won't take the place of comprehensive privacy and security training. But it offers a useful way to reinforce many key issues, especially for newer employees.
Called Cybersecure: Your Medical Practice, the program offers clever graphics and audio narration of a series of questions about various real-world privacy and security scenarios that staff at a smaller healthcare clinic might face. Those playing the game learn about proper procedures as they answer questions. Then they gain access to additional tips and feedback on key issues, which generally relate to HIPAA compliance.
The Department of Health and Human Services' Office of the National Coordinator for Health Information Technology deserves credit for developing this engaging tool. It's rare for a regulatory agency to offer useful, practical, free training tools to help those who lack expertise take the right steps to protect consumer privacy and security. Let's hope other agencies that regulate other business sectors follow ONC's example.
Posing Important Questions
While the questions posed in the medical practice game might seem basic to an information security professional, they deal with issues that may be unfamiliar to many who work at a small clinic - or even a larger practice or hospital.
For example, in one scenario, a character in the game asks if she can take home her laptop to work on billing. The correct answer: Only if all the patient information on the device is encrypted.
In another scenario, a patient asks if the practice can load his records onto a USB drive that he provides. The correct answer is that the practice does not load information onto outside devices, but it will provide records on its own USB drive. That way, of course, the practice avoids the risk of the patient-provided USB infecting a computer with a virus.
Other questions deal with a wide variety of issues, from how to securely send patient information to a physician who's on the road at a conference to avoiding the sharing of passwords.
Obviously, the game won't take the place of comprehensive privacy and security training. But it offers a useful way to reinforce many key issues, especially for newer employees. And to ONC's credit, it actually makes training fun.
Security professionals in healthcare, and even those in other industries, should check out this clever approach to training. HHS ought to look for other ways to use the gaming approach to offer education on important consumer protection issues. And other government agencies should devise their own security training "games" geared to smaller organizations with limited resources.