The following is a guest article by John Trest, Chief Learning Officer at VIPRE Security
Phishing emails litter inboxes every day.
“Smishing” texts buzz on phones.
“Vishing” calls are slipping past filters.
These threats are real, relentless, and evolving rapidly, but many health system employees face them armed only with outdated training slides and occasional quizzes.
It is no surprise that 91% of security managers lack confidence in the effectiveness of traditional security awareness programs. Research also shows employees with standard training often perform no better than untrained colleagues when confronted with real phishing attempts. The problem is not the workforce, it is the methodology.
Why Traditional Training Falls Short
Most programs provided today are designed for compliance, not capability. Most security training programs check a box. These checked boxes generate certificates that fulfill audit requirements. The certificates and the knowledge they represent do little to prepare staff for the real, nuanced, multi-channel attacks seen in the wild today.
Attackers, obviously, are evolving like the rest of us, crafting AI-assisted spear-phishing messages, employing social engineering, and coordinating attacks across email, SMS, phone, and QR code channels. Forty-one percent of successful phishing attacks involve these multi-channel approaches.
Traditional training focuses on recognition of obvious cues. But knowledge alone cannot override instinct under pressure. Healthcare staff operating in fast-paced, high-stakes environments need training that develops immediate, correct responses.
The Neuroscience of Learning Under Pressure
Decades of research in adult learning and cognitive psychology show that passive learning courses that use slides, videos, and lectures yield knowledge retention rates of 10% to 20%. Gamification or interactive elements, for example, can boost engagement and retention by nearly 50%, but experiential learning delivers the highest impact.
Simulation-based learning can increase retention to 75% or more. High-stakes professions have long applied this principle. Pilots train in simulators. Firefighter drill in real-world simulations, with flame and broken glass. Surgeons rehearse procedures in controlled environments that resemble real-world care, which can lead to life and death.
Cybersecurity challenges in healthcare are comparable to those in other sectors, though the consequences are potentially more severe. The stakes are particularly high when threat actors compromise a hospital, potentially jeopardizing patient well-being and lives.
Realistic, hands-on practice is the only way to train employees’ instincts for safe, effective responses when attacks occur.
Simulation-Based Learning in Practice
Simulation-based training programs place staff directly into realistic, multi-channel attack scenarios. Participants are forced to make immediate decisions—to click, report, or ignore—and receive instant feedback on their choices. The results offer behavioral insights and highlight specific cues for each learner. By engaging in repeated cycles, staff build the necessary muscle memory, reinforcing correct responses and boosting their confidence when under duress.
This approach allows department leaders to measure participation and performance, risk patterns, and readiness according to role. Insights from simulation exercises inform incident response planning, help refine the risk models, and prioritize technical interventions with the most impact.
Integrating Training Into Healthcare Workflows
Effective programs must fit the realities of clinical and administrative workflows. Short, varied sessions can be repeated without disrupting operations, while scenarios should reflect the types of attacks employees are most likely to encounter. Metrics should track both behavioral improvements and confidence in responding to threats, creating actionable data for security teams.
Simulation also supports a mature security culture. Employees begin to see vigilance as part of their role rather than a compliance checkbox. They take ownership of these processes rather than see them as little more than a corporate responsibility. Training outcomes help drive security operations, which link human readiness with technical defenses, to strengthen organizational resilience.
The Path Forward
Cyber threats are evolving constantly. The threat actors have embraced AI and automation, as well as multi-channel delivery. Compliance-driven training alone cannot keep pace. Healthcare organizations must adopt experiential, simulation-based learning that builds instincts, judgment, and situational awareness.
Simulations provide the space to practice, contextual feedback to learn, and real-world grounding to stay relevant.
For CISOs, IT training directors, and security consultants, the question is no longer whether to train employees, but how to do so. Therefore, moving from passive modules to hands-on simulations is not optional—it is essential to protecting patient data, maintaining operational continuity, and fostering a necessary culture of security in healthcare.
No comments:
Post a Comment