The Security Scrutinizer with Howard Anderson

An Entertaining Approach to Training

New 'Game' Offers Useful Privacy, Security Insights

Training staff at smaller organizations about important privacy and security issues can prove challenging. In addition to being time-consuming and potentially costly, the material can often be tedious and boring.

See Also: 5 Requirements for Modern DLP

That's why it's great to see a federal agency offering a free, easy-to-use training program that simulates a game environment and provides useful insights with a light, entertaining touch.

Called Cybersecure: Your Medical Practice, the program offers clever graphics and audio narration of a series of questions about various real-world privacy and security scenarios that staff at a smaller healthcare clinic might face. Those playing the game learn about proper procedures as they answer questions. Then they gain access to additional tips and feedback on key issues, which generally relate to HIPAA compliance.

The Department of Health and Human Services' Office of the National Coordinator for Health Information Technology deserves credit for developing this engaging tool. It's rare for a regulatory agency to offer useful, practical, free training tools to help those who lack expertise take the right steps to protect consumer privacy and security. Let's hope other agencies that regulate other business sectors follow ONC's example.

Posing Important Questions

While the questions posed in the medical practice game might seem basic to an information security professional, they deal with issues that may be unfamiliar to many who work at a small clinic - or even a larger practice or hospital.

For example, in one scenario, a character in the game asks if she can take home her laptop to work on billing. The correct answer: Only if all the patient information on the device is encrypted.

In another scenario, a patient asks if the practice can load his records onto a USB drive that he provides. The correct answer is that the practice does not load information onto outside devices, but it will provide records on its own USB drive. That way, of course, the practice avoids the risk of the patient-provided USB infecting a computer with a virus.

Other questions deal with a wide variety of issues, from how to securely send patient information to a physician who's on the road at a conference to avoiding the sharing of passwords.

Obviously, the game won't take the place of comprehensive privacy and security training. But it offers a useful way to reinforce many key issues, especially for newer employees. And to ONC's credit, it actually makes training fun.

Security professionals in healthcare, and even those in other industries, should check out this clever approach to training. HHS ought to look for other ways to use the gaming approach to offer education on important consumer protection issues. And other government agencies should devise their own security training "games" geared to smaller organizations with limited resources.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.