Avatar Game Simulates Health IT Security Scenarios

IT experts see value in training tool for smaller practices, but interactive video also an effective training tool.

Michelle McNickle, Associate Editor of InformationWeek Healthcare

September 25, 2012

4 Min Read

Uncle Sam Shares 12 Top Health Apps

Uncle Sam Shares 12 Top Health Apps

Uncle Sam Shares 12 Top Health Apps (click image for larger view and for slideshow)

The Office of the National Coordinator (ONC), looking to gaming technology to improve training in IT security, recently introduced CyberSecure: Your Medical Practice--a Web-based security training game that uses avatars to simulate real-life security scenarios.

Laura Rosas, privacy and security professional at the ONC, said in a recent webinar that she sees the game as "a way to bring [IT security training] to people on the front line." She and Will Phelps, HIT cyber security project office, developed the game over a series of months in an effort to "address a series of dilemmas staff were having."

"The game is designed to have value for everyone, but particularly smaller practices," she said. "They don't have the budget and infrastructure. We're targeting the game toward these practices." Rosas added that ONC is planning on developing a series of games, "but this is a great first step."

[ Innovative approaches to medical data analysis can lead to better care and lower costs. Read more at Health IT's next challenge: Comparative Effectiveness Research. ]

The game addresses topics such as best practices to keep passwords secure, strategies to protect patient information, how to control access to patient information, and how to secure and encrypt information residing on mobile devices. Game players receive questions from avatars posing as medical staff and have to choose the best answer to control health information, Rosas explained.

At the beginning of the game, players are told they're part of a doctor's office, which gains and loses resources--like exam rooms--depending on how well the player does. An avatar explains the layout of the game, the rules, and the timeline at the bottom of the screen, which displays the player's score. The player selects a security "scenario" to play out, which asks him or her to answer a question at the end of each scenario. If the player answers correctly, she gains resources; if she answers incorrectly, her decision "affects the practice," said Rosas, and she loses resources.

At the end of each round, players who answer questions correctly are given access to a glossary of terms and "sticky notes." The notes provide additional tips on best practices as well as explanations of correct answers to previously posed questions.

Chad Boeckmann, president at Secure Digital Solutions, said in an interview with InformationWeek Healthcare that the rise of these gaming platforms is inevitable, especially considering the younger, incoming workforce. "...With companies like Zynga and Facebook applications, we're going to see those platforms deployed in achieving certain business objectives, like training," he said. "You can take a game like Farmville and turn it into a fun way for organizations to educate their user base, many of which don't have a background in information security or IT."

Although Boeckmann sees value in games like ONC's, he believes another training option could come to the forefront more quickly. Interactive video content, he predicts, will make a bigger splash, training-wise, than gaming. "I think it's coming sooner and is more adaptable to organizations as opposed to gaming," he said. "Gaming is going to take more time."

Mahmood Sher-Jan, vice president of product development at ID Experts, said based on his experiences, organizations are leaning more toward real-life role playing than games to train employees. "We don't call it game playing," he said. He and his team are seeing an uptick in role playing, with organizations requesting to do this type of "table-top incident response planning" to determine their biggest risks and how they would respond to certain scenarios.

"Sometimes everyone knows it's a game, but sometimes they want to do it as if it's real," he said. "This process can prevent incidents from occurring because it forces you to look at policies and procedures and to identify an incident. All aspects of that process are exercised."

InformationWeek Healthcare brought together eight top IT execs to discuss BYOD, Meaningful Use, accountable care, and other contentious issues. Also in the new, all-digital CIO Roundtable issue: Why use IT systems to help cut medical costs if physicians ignore the cost of the care they provide? (Free with registration.)

About the Author(s)

Michelle McNickle

Associate Editor of InformationWeek Healthcare

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights