Can a computer game help practices keep data secure?
■ A practical look at information technology issues and usage
- WITH THIS STORY:
- » External links
Losing an exam room is not a real-life consequence of a data breach or a violation of the Health Insurance Portability and Accountability Act. But the Health and Human Services Dept. Office of the National Coordinator for Health Information Technology hopes that losing it in a fictitious scenario created as part of a game could be an effective way of teaching health care employees the causes and effects of their bad decisions.
The ONC acknowledges that creating a culture of data privacy and security is something a lot of small practices are failing to do because of budget and manpower constraints. So it has developed a free, Web-based game aimed at helping practices understand HIPAA and learn to implement data security policies and safeguards.
“What we really wanted to address was the experiences and dilemmas that staff were having in practices that are adopting electronic health records and other types of health information technology,” said Laura Rosas, MPH, privacy and security professional for the ONC’s Office of the Chief Privacy Officer who was involved with the development and launch of the game.
Rosas said implementing effective training has been a challenge for many small practices that do not have the time or resources to implement other types of training materials. Although few people would probably enjoy reading numerous manuals on HIPAA compliance, a 30-minute game could teach employees best practices to keep a password secure; strategies to protect patient data; how to control access to patient information; how to secure and encrypt mobile devices; and how to use software to block viruses, among other things. Results of the game could help practice administrators identify areas that need reviewing.
The game, “Cybersecure: Your Medical Practice,” has a look similar to that of the popular virtual reality game series “The Sims.” It takes players through scenarios dealing with HIPAA privacy and security rules. Employees, who play the game as an avatar physician practice worker, are asked questions based on each scenario. They can add or lose exam rooms, office equipment and points based on right and wrong answers.
The game has three levels. At the end of each one, players are given feedback on their answers, which explains why each answer was right or wrong. A player cannot advance to the next level without achieving a certain score in the previous level, but the level can be repeated as often as needed.
Tips are offered throughout the game, as well as access to a glossary to better understand certain terms. Correct answers are displayed when incorrect answers are given. If a practice wanted to assess an employee’s performance on the game, it could have the employee take a screen shot of the last screen, which shows the final score, Rosas said.
The ONC’s effort is part of wider movement to adapt gaming into employee training.
A 2008 survey by the Entertainment Software Assn. found that 70% of large employers use interactive software and games to train employees. It found that 78% of those that did not use games for training at the time of the survey planned to start doing so within five years. Individual companies, such as UPS, have reported more employees successfully completing training when computer games are used.
“The interactive and immersive nature of video games makes them an effective learning tool for almost any subject,” said Richard Taylor, senior vice president of communications and industry affairs for the Entertainment Software Assn. They also have a way of increasing interest in “less-than-exciting subject matter,” he said.
Games are more cost-effective than most traditional learning tools “because they can reduce travel time and loss of productivity,” Taylor said. “Video games enable staff to participate in training programs from anywhere and at any time.”
One of the greatest advantages to gaming as a training tool, compared with other methods, is the contextual learning that takes place, said Andy Petroski, director of the Learning Technologies Master of Science program at Harrisburg (Pa.) University of Science and Technology. The games allow users to apply their knowledge and practice using it, as opposed to simple memorization of information.
Through gaming, medical professionals have the opportunity to make mistakes in a safe environment, without consequence, Petroski said.
Games that serve a teaching purpose are referred to as “serious games.” A few online directories of serious games can be searched based on industry, topic or desired skill, among other things. With the growth of the gaming industry in recent years, practices probably can find a game to help with almost every aspect of running a practice, including clinical and business skills or even patient communication skills. They also could find games geared toward each individual staff member, from the receptionist to the medical assistant to the physician.
Like the ONC’s privacy game, many serious games are available to download for free. Custom games can be developed for a few hundred dollars, Taylor said.
Experts warn, however, that computer games should not be the only method used for training. Rosas said the ONC’s game “is certainly not the entire training one needs for HIPAA privacy and security. But it is a very effective piece of that training, and it just needs to be wrapped up in the current training process.” The ONC has other training resources available on its website.
Petroski said games do not eliminate the need for a facilitator or instructor. “Some of that can still happen digitally or virtually, and maybe even be asynchronous. But definitely some collaboration and communication outside of the game, I think, helps with the learning experience as well.”
The ONC said this is the first of a series of games it plans to launch. One in development focuses on a specific aspect of security.