Last week ONC released another game-based security training module. “CyberSecure: Your Medical Practice” is aimed at providers and staff and focuses on disaster planning including data backup and recovery. I didn’t realize that October was National Cyber Security Awareness Month; most of my focus the last few weeks has been on educational pushes around breast cancer awareness and watching the budget fight unfold.
I played it through and as a CMIO it was pretty easy. In each round there are a number of actual questions and also several pop-ups that represent questions or comments made by patients. Several of them made me laugh:
· Wait! I know I had a coupon in here somewhere…
· Honey, don’t forget to tell the doctor about how your you-know-what went you-know where.
· These shoes are pretty heavy. Mind if I take them off and get weighed one more time?
· A virus? Are you sure you can’t give me some antibiotics?
· One second… I’m almost finished with the hardest level of this new racing game.
I’m not sure some of our office staff would receive as high a score as I would hope and it would provide some good review for front-line office staff as well as a humorous break from normal office activities. I didn’t remember playing the other game so I gave it a go as well. It’s focused on Contingency Planning and the questions were pretty entertaining. When you provide a wrong answer, you lose a key office resource such as an exam room. When you have multiple right answers you are rewarded – at the end of Round 1 I received a new vending machine for my break room.
Although there were too many questions where “all of the above” was the right answer, there were some funny possible answers on what to do in the event of a disaster:
· Send all the patients home, there is nothing you can do.
· Smile and hope that no one notices.
· Yell at the doctors for not agreeing to get a back up generator when you suggested it.
My favorite question though was the last one. “We never tested our EHR data backups. Now I can’t retrieve patient information that appears to be lost after an application upgrade. What do I do now?”
· Find out if anyone has backed-up the EHR on tapes or disc drives.
· Contact your EHR vendor to request assistance in rolling back the upgrade or recovering as much of the database as possible from backup media starting with the most recent media.
· Re-boot your server; this typically will resolve the problem and your EHR data will be recovered.
· Try to recover from a previous backup; the data should not have changed very much.
I intentionally answered wrong and was penalized by having a roof leak at my clinic. I guess as they say: when it rains it pours. The detailed answers and feedback that can be viewed at the end of each section has detailed citations from the HIPAA Security Rule including the pertinent Code of Federal Regulations documentation. I’d recommend the contingency planning module for office managers and other business leaders but I don’t think it would be that helpful for end users or front-line office staff.
Gamification can be an entertaining method of communicating information for mandatory review but I’m not sure the modules are interesting enough that I’d do them if it wasn’t required. I enjoy the humor that ONC interjected though and the appreciation of some of the things we encounter in daily practice. I’d like to see our in-house training teams adopt more of this approach. Unfortunately they’re too partial to non-interactive modalities. I was actually glad of the changes to HIPAA because it forced them to update the tired “gangster theme” video they had been showing for years. What do you think of game-based learning? Email me.
Email Dr. Jayne