Screenshot of "Cybersecure: Your medical practice" game by the HHS Office of the National Coordinator for Health Information Technology to teach HIPAA compliance.

Can a computer game help practices keep data secure?

A practical look at information technology issues and usage

By — Posted Oct. 1, 2012.

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Losing an exam room is not a real-life consequence of a data breach or a violation of the Health Insurance Portability and Accountability Act. But the Health and Human Services Dept. Office of the National Coordinator for Health Information Technology hopes that losing it in a fictitious scenario created as part of a game could be an effective way of teaching health care employees the causes and effects of their bad decisions.

The ONC acknowledges that creating a culture of data privacy and security is something a lot of small practices are failing to do because of budget and manpower constraints. So it has developed a free, Web-based game aimed at helping practices understand HIPAA and learn to implement data security policies and safeguards.

“What we really wanted to address was the experiences and dilemmas that staff were having in practices that are adopting electronic health records and other types of health information technology,” said Laura Rosas, MPH, privacy and security professional for the ONC’s Office of the Chief Privacy Officer who was involved with the development and launch of the game.

Rosas said implementing effective training has been a challenge for many small practices that do not have the time or resources to implement other types of training materials. Although few people would probably enjoy reading numerous manuals on HIPAA compliance, a 30-minute game could teach employees best practices to keep a password secure; strategies to protect patient data; how to control access to patient information; how to secure and encrypt mobile devices; and how to use software to block viruses, among other things. Results of the game could help practice administrators identify areas that need reviewing.

The game, “Cybersecure: Your Medical Practice,” has a look similar to that of the popular virtual reality game series “The Sims.” It takes players through scenarios dealing with HIPAA privacy and security rules. Employees, who play the game as an avatar physician practice worker, are asked questions based on each scenario. They can add or lose exam rooms, office equipment and points based on right and wrong answers.

The game has three levels. At the end of each one, players are given feedback on their answers, which explains why each answer was right or wrong. A player cannot advance to the next level without achieving a certain score in the previous level, but the level can be repeated as often as needed.

Tips are offered throughout the game, as well as access to a glossary to better understand certain terms. Correct answers are displayed when incorrect answers are given. If a practice wanted to assess an employee’s performance on the game, it could have the employee take a screen shot of the last screen, which shows the final score, Rosas said.

The ONC’s effort is part of wider movement to adapt gaming into employee training.

A 2008 survey by the Entertainment Software Assn. found that 70% of large employers use interactive software and games to train employees. It found that 78% of those that did not use games for training at the time of the survey planned to start doing so within five years. Individual companies, such as UPS, have reported more employees successfully completing training when computer games are used.

“The interactive and immersive nature of video games makes them an effective learning tool for almost any subject,” said Richard Taylor, senior vice president of communications and industry affairs for the Entertainment Software Assn. They also have a way of increasing interest in “less-than-exciting subject matter,” he said.

Games are more cost-effective than most traditional learning tools “because they can reduce travel time and loss of productivity,” Taylor said. “Video games enable staff to participate in training programs from anywhere and at any time.”

One of the greatest advantages to gaming as a training tool, compared with other methods, is the contextual learning that takes place, said Andy Petroski, director of the Learning Technologies Master of Science program at Harrisburg (Pa.) University of Science and Technology. The games allow users to apply their knowledge and practice using it, as opposed to simple memorization of information.

Through gaming, medical professionals have the opportunity to make mistakes in a safe environment, without consequence, Petroski said.

Games that serve a teaching purpose are referred to as “serious games.” A few online directories of serious games can be searched based on industry, topic or desired skill, among other things. With the growth of the gaming industry in recent years, practices probably can find a game to help with almost every aspect of running a practice, including clinical and business skills or even patient communication skills. They also could find games geared toward each individual staff member, from the receptionist to the medical assistant to the physician.

Like the ONC’s privacy game, many serious games are available to download for free. Custom games can be developed for a few hundred dollars, Taylor said.

Experts warn, however, that computer games should not be the only method used for training. Rosas said the ONC’s game “is certainly not the entire training one needs for HIPAA privacy and security. But it is a very effective piece of that training, and it just needs to be wrapped up in the current training process.” The ONC has other training resources available on its website.

Petroski said games do not eliminate the need for a facilitator or instructor. “Some of that can still happen digitally or virtually, and maybe even be asynchronous. But definitely some collaboration and communication outside of the game, I think, helps with the learning experience as well.”

The ONC said this is the first of a series of games it plans to launch. One in development focuses on a specific aspect of security.

Back to top

External links

Cybersecure: Your Medical Practice (link)

Serious Games Directory (link)

My Procedure, University of Minnesota (link)

Games for Change (link)

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story