Annual training and education is important. However, I am going to make a full confession. I have, at times, skimmed through our organization's annual training videos and fast forwarded as much as I am allowed before taking (and passing) the accompanying quiz. Passing the quiz documents my understanding and fulfills whatever requirements have been imposed by whichever regulatory body. I do wonder how much time and money are spent on (1) developing the training materials and (2) requiring completion of the training (usually while on the job) by all of the organization's employees.
If you work in health care, you know exactly what I am talking about - think of the acronyms "R-A-C-E" and "P-A-S-S" as just two examples. Even if you aren't working in the health care industry, you probably know exactly what I am talking about - all industries provide this kind of mandatory training. The important question to ask is whether this kind of training is effective.
Examining this mandatory training process purely from a quality improvement and safety lens, education and re-training is one of the least effective interventions, in terms of reliability (see here). On a typical scale, the highest level of reliably effective interventions include forcing functions, automation, and standardization, while the lowest level of reliability interventions focus on education, training, and "pop-up" warnings/alerts. In other words, annual training, as currently required and in the way it is currently provided in almost all health care organizations (if not all organizations) is not very effective.
Periodic (annual or semi-annual) training is designed to promote habit formation. In other words, if we take this training over and over, the knowledge and skills will be second nature to us. The problem is that as individuals are exposed to repeated training, there is very little in the way of marginal gain in knowledge, skill, or even habit. As individuals become accustomed to this training, they mistakenly believe that they have mastered the concepts and spend very little "cognitive time" thinking about it (as I alluded to in the first paragraph).
Is there a better way to conduct this kind of annual training and education? Perhaps a study by a group of investigators called "Training to Mitigate Phishing Attacks Using Mindfulness Techniques" published in the Journal of Management Information Systems will provide some insight (see also the review of this study in the Harvard Business Review). Given the increasing number of cyber-attacks, particularly in the health care industry, a number of organizations have added cyber-security to their list of annual training requirements. E-mail phishing attacks are on the rise and cost industry billions of dollars per year. These investigators compared the traditional way of doing things (annual training using a rules-based approach) to an approach based on mindfulness.
The traditional "rules-based" approach emphasized a specific set of rules (follow the rules to avoid phishing attacks):
1. Never clink on a link or open an attachment in an e-mail from an unknown sender
2. Access by a website by typing the web address yourself (as opposed to clicking on the link)
3. Do not reply to e-mails asking for private information
4. Real organizations such as banks or employers will never ask for private information in an e-mail
5. Be suspicious of a website that asks for private information
6. Look for cues such as HTTPS in the address bar or a lock icon in your browser to identify a fake website
The "mindfulness" approach asked individuals to:
1. STOP - take a pause whenever you open an e-mail that contains an explicit request for action
2. THINK - ask yourself the following questions:
a. Does the request ask for private or proprietary information?
b. Is the request unexpected or rushed?
c. Does the request make sense?
d. Why would the sender need me to do this?
3. CHECK - if the individual was suspicious of a phishing attack, contact the IT department.
Seems fairly straightforward, right? The investigators randomized a group of more than 400 university faculty, students, and staff to one of these two training approaches versus a control group that received no training. Ten days after the training, the research team launched a phishing attack. They found that 23% of the individuals in the control group took the bait and responded to the phishing attack, while only 13% of the individuals in the rules-based training did so - in other words, some training is probably better than no training. However, only 7% of those in the mindfulness training responded to the phishing attack!
These are pretty amazing results! We know that simple education and training is the least reliable way to effect changes in behavior. This mindfulness study provides some confirmation, but more importantly this study provides a potentially more reliable and effective alternative, one based on mindfulness. As organizations re-evaluate how they conduct their business, looking at investing valuable time and resources in more effective and reliable methods of annual education and training may be a great place to start. And, it may make at least this individual much happier if he doesn't have to go through the same kind of training year after year!
No comments:
Post a Comment