Live Chat | Login | Blog | Careers

emPower eLearning: September 2011

emPower eLearning

Wednesday, September 28, 2011

Gamification: Using Game Mechanics To Enhance ELearning

Maybe you've heard of the term "gamification," and perhaps you're wondering what it is and how it can be applied to eLearning. In short, gamification is the use of gameplay mechanics for non-game applications. Almost as important, as a definition of what it is, is a definition of what it's not. Gamification is not the inclusion of stand-alone games in eLearning (or, whatever gamification is being applied to). It also has very little to do with art-styles, themes, or the application of narrative. Rather, game mechanics are the construct of rules that encourage users to explore and learn the properties of their possibility space through the use of feedback mechanisms. With gamification, these "possibility spaces" have been expanded beyond just games into other areas like marketing, education, the workplace, social media, philanthropy, and the Web, just to name a few. As a game designer now making eLearning software, I've found that much of what is used to build engagement in games can also be applied to other interactive material such as eLearning.

In the 15 years I've been making video games, a frequently discussed topic in the game industry has been on ways to engage users; a theme that I've found is enthusiastically discussed in the eLearning space. Since the primary reason to apply gamification to eLearning is to engage learners, the focus of this article is on describing gameplay mechanics that have been proven to be engaging.

What is Engagement?

First though, let's talk about engagement in a general sense. For our purposes, I am defining engagement as simply "occupying the attention or efforts of a person." This seems pretty straightforward, but I think a more pertinent question is, when does engagement occur? I first heard this specific question addressed in Tom Chatfield's TED talk on "7 Ways Games Reward the Brain," where he states that engagement occurs when the brain is rewarded, and that for something to be perceived as rewarding, it must evoke positive emotions in a person. Essentially, there are two components to the perception of something being rewarding: wanting and liking. Without both wanting and liking, people won't find something rewarding. For instance, if somebody wants a job, but doesn't like it, they won't find it rewarding. Conversely, when somebody gets to a point where they are willing to admit that their addictive behaviors are problematic, they are at a point where they like the effect of the addictive substance or behavior, but they no longer want it. An addict will always like whatever they are addicted to, but when they can acknowledge it as an addiction, they will often struggle with wanting it, and therefore, no longer find the addictive substance or behavior to be rewarding. Dr. Kent Berridge, a University of Michigan neuroscientist, has studied this concept of wanting and liking being necessary components of a rewarding perception. In fact, he has found that wanting and liking occur in two separate parts of the brain, and he is looking for ways to utilize this in the treatment of addictions. So, for the purposes of developing engaging eLearning, we need to look at how we are rewarding our learner's brains by giving them compelling reasons to want the material, and to work on developing systems that they will like.

If we are going to focus on developing software that our users want and like, it's essential that we know and understand our audience, not just the subject matter. I would suggest that you research the brands, hobbies, and media (television, films, games, websites, etc.) that your target audience enjoys. This should give you a better idea of the aesthetics and interactions that your learners like and want. In addition, if you are designing material that is branded, make sure that you don't stray from the brand's identity and that you also become familiar with the brand's target audience if it's different than the demographic of the end user. These brands have spent a lot of time and money tailoring an image, and you should respect it.
Let's get to some specific game mechanics that can help to make your eLearning more engaging.

Setting Goals and Objectives

This topic covers the overall structure of an interactive product, rather than individual achievements that learners can earn (rewards are discussed later in this article). Games are generally structured so that players have various "layers" of goals. That is, they have the long-term goal of completing the game, the medium-term goal of completing the levels in the game, and the short-term goal of completing the missions in the levels. (Sometimes these missions are even broken up further into additional tasks.) Generally, the requirements of each goal "layer" in a game get increasingly harder as you move from short-term to long-term goals. That is, the final challenge in a game (sometimes called the "boss battles") will always be harder than the short-term missions. This allows players in games to learn and practice skills, prior to having to demonstrate mastery of those skills in the most challenging parts of the game.

Similarly, when designing eLearning material to minimize cognitive fatigue, instructional designers should break up their products into short-term, medium-term, and long-term goals. For instance, before completing a course learners must complete several modules. To complete a module, several topics must be completed. In order to complete a topic, several objectives must be finished. And finally, each objective requires several goals to be completed. Structuring your eLearning this way, allows users to learn new skills incrementally, and then practice those skills before demonstrating mastery of those skills in assessment exercises. This increases the likelihood that learners will remain in the "flow" state Mihaly Csikszentmihalyi describes in his book Flow: The Psychology of Optimal Experience.

If your eLearning material is setup for your users to navigate through it linearly, you could visualize your goal structure this way (see Figure 1):

Figure 1: Linear Flow of Goals. (Adapted from an illustration by Sebastian Deterding)
With the exception of casual games, most modern games follow a nonlinear progression. Casual games, such as Angry Birds or Plants vs. Zombies (PvZ) are typically distinguished by simple rules and a lack of required commitment. Nonlinear progression gives the player choices in how they proceed through the game. In many cases, these games are setup in what's called a "hub" system. The reason for this name is because if you imagine a wagon wheel, the center, or hub (sometimes referred to as the overworld, a carryover from "dungeon crawlers" like Diablo where players emerged from underground to access other dungeons), represents the area where all other areas are accessed. The spokes of the wagon wheel represent the connections to all other areas. In some cases, the areas represented on the rim of the wheel can be used to access other adjacent areas. In some games, if players progress from area to area around the "rim" of the wheel, rather than returning to the "hub" between areas, the experience can actually feel rather linear. You could visualize this type of nonlinear structure this way (see Figure 2):

Figure 2: Nonlinear Goal Progression
In the preceding illustration (Figure 2), any of the solid lines could be eliminated, as long as there is some other line connecting to a point.
Giving your learner choices by designing nonlinear eLearning can help engage your user. However you'll need to be aware that designing software that allows for this type of flexibility drastically adds to the complexity of the development.

I mentioned "flow" state earlier. Below is the diagram commonly used to illustrate this (see Figure 3):

Figure 3: Flow Channel

Essentially, as the challenge of an experience rises, the skill of the participant must also grow in direct proportion. If a user's skill exceeds the challenge of the experience, they will become bored. And, if the challenge exceeds the participant's skill, they will suffer anxiety. In the graph, an optimal user experience is illustrated in the "Flow Channel" as the squiggly line. This line demonstrates the experience described above where a user is challenged to a high degree with new experiences, and then given an opportunity to demonstrate and master the skill of that experience, before given a completely new challenge to conquer.
In games, the flow channel of the game challenges could be illustrated this way (see Figure 4):

Figure 4: Flow Channel for Games

Generally in games, players are given goals and objectives that get increasingly more difficult as they approach a boss battle (analogous to a test), which occur at the end of levels (similar to modules or sections in eLearning). The challenge of the boss battle is almost always higher than any of the challenges presented prior to it. After a boss battle, the challenge of the goals and objectives that the player is given don't ramp up, rather the player is given the opportunity to master their skills before the challenge ramps again prior to the next boss battle. This keeps the player in the flow channel, thus engaging them in the experience.

With eLearning, the structure of challenges needs to be different than in games.

Figure 5: Flow Channel for eLearning

With learning, the challenge is ramped up immediately after an assessment with the introduction of new material. The learner is presented with new material, which gets increasingly more complex. They are then given a chance to master those new challenges as their skills increase, and after that they are given an assessment that demonstrates the knowledge of that material.

Provide Frequent Feedback

Have you ever used an interactive product, be it eLearning, a game, or a website, and felt lost or confused? It happens to everybody, and it's really frustrating. Maybe you are asked to recall some information that you swear you were never told (or, that you were previously told and you've just forgotten), and you don't even know where to look to find it. Perhaps you didn't know how to progress; you don't know what to do, where to go, or you simply can't find a UI item like a button. Or, maybe you find out that there's an assumption that you need some prerequisite knowledge or experience to even understand the basic principles of what you're doing, and you had no idea you needed this, and you have no idea where to get that knowledge or experience.

As a designer, your job is to make your users feel smart or clever. Especially if what you're designing is a learning exercise. If a learner feels lost or confused, you're essentially telling them that they're stupid, and you're not doing your job as a designer.

With navigation users should know exactly what they need to do next, or what options they have available to them at any given moment in an eLearning product. When you're looking at the screen at any point in your product, take a moment to ask yourself, "If my learner walked away from their computer for several hours, would they know what to do when they returned?" If you look at your eLearning navigation in this light, it's a little easier to find systems that keep your user informed of what to do.

To support information transference, provide links back to essential information previously referenced in your learning or links to supplemental material that is prerequisite knowledge for the current learning. During assessments, explain why answers are correct or incorrect, or provide links to where the appropriate information can be found. Never just say, "That's wrong. Try again."

Measure Progress

An important part of providing feedback to users in games or eLearning is to let them know how much progress they've made. There are many ways to represent this, but the most effective are always represented graphically. Use progress bars instead of percentages or fractions, and feel free to get creative with the visual representation of the bar. For instance, you could use an outline of a head, and as you complete the eLearning exercises, the outline fills in with a graphic of a brain.

It's also important to measure progress at multiple levels. If your eLearning course consists of several modules, and within each module there are several topics, show progress at each of these levels. This can even be done in the same progress bar. For instance, if your course has five modules, you could initially show five star outlines to represent incomplete modules. As the learner completes the topics in each module, the star representing the current module would begin to fill up to a solid color. That way, you're showing progress within the module with each star, and total progress in the course with each filled star.

Something to note on progress bars, you don't necessarily need to display them continuously. In fact, if you show them only when progress is made (when the progress bar changes) the learner's advancement through your eLearning can feel more like a reward (especially if it's displayed with some fanfare), and ultimately the progress bar is more effective. However, if you do this, users should be able to access the progress bar somewhere at any time (perhaps in a top-level, or pause menu).

Character Upgrades

One of the most effective ways to show progress in games is through character upgrades. Look at the characters below (see Figure 6), and it's pretty easy to see the general progress that a player would make with these characters.

Figure 6: Character Upgrades (Image courtesy of Mike Henry of Big Menace Industries.)

For now, this isn't as easy to replicate in eLearning, though I'm hoping someday we'll have better tools to take advantage of this powerful measure of progress. I like to use virtual coaches in eLearning. So, I'd love to have a system that allows learners to earn new virtual coach characters, outfits, and accessories, after completing sections or modules; and they are also given the option to choose the virtual coach that is used in their eLearning along with the option to dress that coach. This character upgrade scenario sets up the basis for a system where users are given virtual goods and characters that they want, and they get to change them in the way they like, which as stated at the beginning of this article are the main components of rewards that engage learners. I believe this system would tap into our natural instinct to collect stuff, and would be an effective motivator to engage learners.

Reward Effort (not just success)

Earlier I suggested highlighting progress bars whenever the learner advances through your eLearning—this is a type of reward. Even though it takes no extraordinary effort on the part of the user to make progress, people generally want to be acknowledged for their work. And if it's presented in a way which is interesting, your learners will feel rewarded, and thus, engaged. One hundred small rewards are better than one big one.

However, you should try to scale the reward in proportion to the effort, or risk, that it takes to get the reward. For instance, if you used an animated fireworks graphic to congratulate a learner for a perfect score on a test, you wouldn't want to use that same graphic to recognize that they entered their name into a text field. You may have noticed I also mentioned risk. If appropriate, allow your learners to take some risks, and reward them if they're willing to do so. For instance, if you provide some supplementary material, give your learner a special reward if they take the time to go through it.

Reward Schedules

When thinking about when and where to recognize your learner with rewards, use reward schedules to make sure you're giving them out consistently, and throughout your course. A reward schedule is the timeframe and delivery mechanism through which rewards (pop-ups, points, prizes, level-ups, etc.) are delivered. There are three main components in a reward schedule:
  • Prerequisite; what needs to occur to receive the reward
  • Response; the presentation of the reward
  • Reinforcer; the appropriate reward for the prerequisite (these are either momentary or persistent)
Within any game or eLearning course, multiple types of reward schedules can be utilized either throughout the product, or in limited parts. There are two primary types of reward schedules, Interval and Ratio.
Interval Reward Schedules. Rewards are given based on time. There are two types of interval reward schedules.
  • Fixed: Rewards are given at a fixed amount of time. Generally, this type results in a low level of engagement immediately after the reward that increases as the next reward approaches (e.g. the sunflowers produce sun pick-ups every 24 seconds in PvZ).
  • Variable: Rewards are given at different times; however these times are roughly in the same time period (e.g. the marigolds in PvZ produce a coin, either gold or silver, on average every 24 seconds, at variable time periods).
Ratio Reward Schedules. Rewards are given after a number of actions are completed. There are also two types of ratio reward schedules.
  • Fixed: Given after a set number of actions, including after every action (e.g. in PvZ every fifth level is a bonus level that unlocks a mini-game upon completion).
  • Variable: Given randomly, after roughly the same number of actions (e.g. in PvZ there's a slot machine that gives one of nine reward types each time it's used. For any individual reward, there is a random chance that you will get it on each use. However, each type of reward is weighted so it is given either commonly, uncommonly, or rarely).
As mentioned earlier, there are two general types of rewards: momentary and persistent. Momentary rewards are given immediately upon completing the prerequisite of the reward, and are not tracked. These can be as simple as popping up a "Great Job!" message, or could be as complex as elaborate animations or special effects. Persistent rewards are tracked over the entire product, or even over many products (i.e. courses or games). These rewards can be as simple as points, or can be more elaborate such as unlockable content, or collectable items. Currently, there is a trend to use collectible badges or achievements as a persistent reward. With persistent rewards, you can choose beforehand to show that these rewards are available to unlock, or you can choose to not show them ahead of time. Likewise, if you decide to show which persistent rewards are available to earn, you can either show what is required to unlock the reward, or you can merely let the user learn that there is a reward to earn, but not specify what it takes to get it.

Peer Motivation

From the dawn of mankind, perhaps the most effective motivator known to us is the approval of our fellows. I believe the overwhelming success and influence of social media in our modern-day society, speaks volumes of the power that other people's opinion have on our lives. Especially, when these people are those we respect. Certainly, those that have reaped the success of social media games understand the power of peer motivation. People naturally feel a sense of obligation to their friends and colleagues; if you spend any time on Facebook, you have surely received a Farmville request. And, the makers of social media games have based their entire business on this powerful motivating force.

There are many ways that you could use your learner's peers to motivate your users. Try setting up a closed or private Facebook group and start a community between users of your product. If you'd prefer not to use Facebook, and all of your users have a common email extension, setup a Yammer group. Get your users talking to one another, and give them a common goal or reward; especially if that reward is predicated on group participation, you'll find that your learners will participate.

I mentioned earlier the trend to use achievements and badges. If you decide to use these persistent rewards, I'd suggest you allow your learner's peers to see when they collect these rewards. These types of extrinsic rewards are much more effective if people can use them for bragging rights, rather than just having some extra trophy graphic that nobody else will see.

Other Suggestions

The following are additional suggestions to improve your eLearning that I've drawn from my experience as a game designer, though aren't specifically game mechanics.

Have a Hook. Something that we talk a lot about in the game industry when talking about game concepts is "the hook." That is, the most compelling and unique aspect of your game that can be summed up in less than a paragraph (in most instances, a single sentence). In the game industry, developing the hook is often the very first thing that a designer does in conceiving a game. What's important about this, and how it relates to eLearning, is that you should know what will make your eLearning engaging, before you ever begin production of it, or for that matter, before you even design it. Spend some time putting together an "elevator pitch." That is, a short statement or summary of your eLearning material that outlines all of the high-level features of it, and specifically, what will make it engaging.

Improve Your Presentation. At times, I'm shocked by how some in the eLearning industry think that presentation and art are so unimportant. There are many sources of good creative-commons and royalty-free artwork. However, hiring somebody to produce good quality custom art doesn't need to cost a lot, and the results are often much better. You can hire an agency, but you will pay a lot of overhead. So, I'd suggest working directly with an artist. Most digital artists have a page on deviantart.com where you can register for a free account and find an artist that matches a style your target audience will like. Generally, it's fine to contact these artists through their page and ask them if they are available to do some work. Another good source of cheap artwork are the university art and design programs.

When contracting with an artist, make sure you ask to see a portfolio. You need to make sure that the artist is capable of creating art in the same style that your target audience will like. Each artist has their own style, and it is rare to find an artist that can work well in multiple styles. So, don't assume that just because they've created some great artwork in one style, that they'll be able to create custom work with an entirely different look. Also, if you do hire an artist, you should ask to sign-off on their work incrementally. You should be checking their work early and often, so you can make changes early. Once an artist gets to the late stages of their work, it's difficult or impossible to make changes.

Paper Test. Very often in designing games, developers will mock-up entire sections of the game on paper. There are many ways that we put pencil to paper to test our games: drawing out maps, checking line of sight with rulers, testing enemy placement and movement, or using dice as a random number generators to calculate possible damage scenarios. These are just a few examples of how we test game systems on paper, but one of the most common, and most directly applicable to eLearning design, is paper testing interface design.

When you sit down to design the interface for your eLearning material, sketch out several different design layouts. Take those UI sketches to people in your target audience, and talk them through your eLearning product, asking them to touch your screen mock-ups anytime that you'd require user input. When you do this, pay attention to how long it takes them to make the correct input, and watch their eyes to see where they look first on your screen mockups.

Test Early and Often. Whether you decide to begin your design on paper, or directly on the computer, always test your eLearning as early as possible. Don't make assumptions about how your target audience will use your product; get it in front of them, watch them use it (with no guidance from you), and have them document the experience. Some of the most effective testing I've seen involves putting a member of the target audience in a room alone with a webcam aimed at the tester's face, and another aimed at the keyboard and mouse, accompanied by a screen capture of all input. This gives you a true perspective on how your users interact with your product, and it captures their emotional state as they use it so you can tell whether they actually like it (as opposed to just telling you if they like it). Plus, it takes away the temptation to guide them through frustrating parts.

Another important part of testing is that when you fix a problem, it's really important that you retest it to see if you've actually fixed the problem, and also whether you've introduced new problems. As obvious as this seems, it's incredible how often we'll let something slide under the assumption that the problem has already been addressed.


Hopefully you've found some of these suggestions useful. There are many other ways that game mechanics can be used to enhance eLearning, though I think the suggestions in this article are the most important, and are general enough that they can benefit most eLearning material.

About the Author

Since 2008, Rick Raymer has been designing and managing the production of eLearning software, games, and simulations for the North Carolina Community College System's BioNetwork organization. BioNetwork provides workforce training and education to the biotechnology, pharmaceutical and life science industries. Raymer has designed videogames professionally since 1996; and has produced more than 40 games with titles on every major gaming platform including consoles, PCs, handheld devices, and mobile phones. Before entering the game industry, he created computer animations for engineering, marketing, and training purposes. Raymer has a degree in Industrial Design.

Labels: , , ,

Wednesday, September 21, 2011

HIPAA vs The Cloud

HIPAA Compliance: The objective behind

Sensitivity in maintaining individual health record of every person is too significant and this is what gets ensured under HIPAA security compliance, which aims at protecting an individual’s information to be obtained, created, used and maintained electronically at a specific healthcare unit or hospital. As a result of this rule, the healthcare unit is responsible for taking every measure to keep this information confidential, secure, reliable and free from any electronic interference. But healthcare units usually find it tough to meet the expectations of this security rule & it requires a more technical approach in abiding by the directives of the security rule.

Healthcare unit’s responsibility in ensuring HIPAA security compliance

Under HIPAA security compliance, each of the three aspects, namely administrative, technical and physical, has to be adhered to by implementation specifications. These specifications specify the modus operandi for meeting the three aspects. A healthcare unit or hospital has to either implement a security measure to achieve this objective, execute the given implementation specifications or, may not put into practice either one of the two. But as part of HIPAA compliance, the body has to document whichever choice it wants to implement and this document should additionally comprise of basis of the evaluation on which this decision has been arrived at. Outcome of all this can be visibly noticed in the form of a challenge for IT professionals working in health sector.

Shouldering HIPAA compliance responsibility with cloud computing vendor

No surprise, emergence of cloud computing looked like easing the scenario but with enough caution, given that an outside agency in the form of cloud providing associate is involved besides the healthcare unit. Because of this vendor-client partnering, the ultimate responsibility to abide by HIPAA compliance resting with the healthcare unit gets pooled with the vendor, since implementation gets carried out at the vendor end. Thus, there is much room for the sensitive information getting trickled at the remote location where cloud model has been setup. In this situation, the healthcare unit will have to adhere to all the security aspects and implementation specifications as discussed above, so as to satisfy the HIPAA security rule. In the process, the healthcare unit will have to extend its interference and control at the cloud computing associate’s location in terms of integrity, encryption, data transfer & management, etc., which this body earlier left up to business associate due to contractual limitations or budget constraints.

Documentation of roles

Obviously, the healthcare unit has an opportunity this way to allot even responsibility to its cloud computing business associate and keep it under the scanner, as if HIPAA compliance is not just the healthcare unit’s liability, but is as much an accountability of that vendor. The documented modus operandi of this body can well include the extent to which it has involved vendor and along with, ask the vendor to document its procedures and practices in following the technical requirements and the HIPAA compliance as a whole.

While cloud computing can be the technical answer for healthcare IT professionals to successfully satisfy HIPAA security compliance, the organisations in healthcare can well ensure strict adherence of HIPAA rules by shouldering equal responsibility with their cloud computing business associates.

About emPower eLearning

emPower  is a leading provider of comprehensive Healthcare Compliance Solutions through Learning Management System (LMS). Its mission is to provide innovative security solutions to enable compliance with applicable laws and regulations and maximize business performance. empower provides range of courses to manage compliance required by regulatory bodies such as OSHA, HIPAA, Joint commission and Red Flag Rule etc. Apart from this emPower also offers custom demos and tutorials for your website, business process management and software implementation.

Its Learning Management system (LMS) allows students to retrieve all the courses 24/7/365 by accessing the portal. emPower e-learning training program is an interactive mode of learning that guides students to progress at their own pace.

For additional information, please visit http://www.empowerbpo.com .

Labels: , , ,

Tuesday, September 20, 2011

SeaWorld trainers' safety questioned by OSHA during hearing

A weeklong hearing that could determine the future of SeaWorld Parks & Entertainment's world-famous killer-whale shows opened Monday with lawyers for the federal government arguing that the company's animal trainers cannot work safely while in close contact with the world's largest ocean predator.

"Killer whales are large, powerful and non-domesticated animals. They have the potential to cause serious physical harm or death to people who get near them," John Black, a U.S. Department of Labor attorney, said during opening arguments in the case, which pits SeaWorld against the department's Occupational Safety and Health Administration.

"SeaWorld's killer-whale training program doesn't change the essential facts that harm or death to people is possible," Black said. "Their program doesn't eliminate what SeaWorld itself recognizes as a calculated risk."

SeaWorld countered that the tragedy that triggered the case — the Feb. 24, 2010, death of SeaWorld Orlando trainer Dawn Brancheau, who was pulled underwater and killed by a six-ton killer whale named Tilikum — was an isolated tragedy. SeaWorld said Tilikum, who was involved in two human deaths before Brancheau's, had never before given any indication that he would attempt to pull someone into his tank.

SeaWorld lawyers argued that prohibiting trainers from ever again swimming with killer whales would undermine the company's ability to care for the animals. A top company official even testified that a whale that died last fall of an illness might have been saved if trainers had been working in the water with the animal, as they had done for many years before.

Brancheau's death "was a truly unfortunate event. It was a life-changing event to many people. It affected SeaWorld deeply," said Carla Gunnin, a lawyer representing SeaWorld. "But I think the bigger issue is the efforts that SeaWorld had made prior to that time to ensure trainer safety."

At issue is a citation issued by OSHA Compliance after a six-month investigation into Brancheau's death. In it, the agency accuses SeaWorld of committing a willful safety violation for not adequately protecting its killer-whale trainers. More significantly, the agency recommends trainers never again have close contact with the animals without a physical barrier or an equivalent level of protection — something that could effectively make it impossible for trainers to return to what SeaWorld calls "water work."

SeaWorld is challenging OSHA's findings before an administrative-law judge. The hearing in Sanford is expected to last all week.

Only one witness was called Monday: Kelly Flaherty Clark, curator of animal training at SeaWorld Orlando. A veteran manager in charge of all animal-training operations at the Central Florida marine park, Flaherty spent more than four hours under questioning, including direct queries from Judge Ken S. Welsch, who is overseeing the proceedings.

Much of the day's back-and-forth centered on how SeaWorld's killer-whale trainers themselves are trained. Trainers are taught to recognize aberrant behavior, or "precursors," from the whales that might indicate a potentially dangerous situation is coming — and they are expected to react accordingly.

OSHA, which noted that trainers are required to sign a quasi-waiver recognizing the inherent risk of working with killer whales, called it a woefully thin line of defense.

"SeaWorld trains its trainers how to recognize and how to avoid potential risk. And then, in effect, it tells them, 'Be careful,'" Black said.

Black argued that the approach leaves "gaps" through which trainers are exposed to danger. They might, for instance, fail to observe a negative precursor or they might make a mistake while reacting to it in real time. The agency also argued that trainers could be hurt without any warning at all.

"Harm could happen even if the trainer doesn't make a behavioral judgment error, right?" Black asked Flaherty Clark at one point.

"Yes," Flaherty Clark responded.

But SeaWorld said its training protocols were far more sophisticated than implied by OSHA. Flaherty Clark said all killer-whale trainers undergo 18 months to two years of training before they come into close contact with a whale, which she defined as within five feet. They also train at least three years before they directly interact with the animals.

The company noted that multiple trainers are involved in every interaction — including a "control trainer" working directly with the animal and a "spotter trainer" observing the entire interaction and acting as a second set of eyes for negative precursors. It said the whales themselves also undergo training to encourage desirable and safe behaviors, which it said goes "hand-in-hand" with the instructions given to the trainers.

The company didn't dispute that there are risks inherent to a killer-whale trainer's job. But it said mistakes are rare.

"The frequency of a trainer making a bad call or missing a behavioral cue is minimal," Flaherty Clark said. "In 25 years, I've reviewed one behavioral incident that did not show something that I would have done differently, that there weren't behavioral cues."

That one incident, Flaherty Clark said, was Brancheau's death.

Tilikum had been involved in two other human deaths before Brancheau was killed: the 1991 killing of a trainer at a British Columbia facility, and the 1999 killing of a man who sneaked into SeaWorld Orlando's killer-whale enclosure after hours. As a result, the company had developed a separate set of protocols for working with the animal, which included prohibiting anyone from getting in the water with him.

But trainers were allowed to work with Tilikum from shallow underwater ledges built into the sides of the park's pools — as Brancheau was doing when she was pulled into the water.

"Tilikum had never given us any indication that he would pull somebody into the water with him," Flaherty Clark said.

Another important point of contention that emerged Monday was whether OSHA's recommendation that trainers be protected at all times by a physical barrier should apply only to their work during public performances or at all times.

OSHA said its citation applies only to work during performances. But SeaWorld said it is impossible to draw a line between show behaviors and other behaviors, because so much of the work overlaps. Flaherty Clark noted that trainers will often use performances to continue training whales on specific behaviors that are necessary for certain husbandry procedures, such as obtaining gastric samples.

It's a crucial point, because SeaWorld can better argue that OSHA's recommendations are untenable if it can show that they would interfere with medical procedures or other husbandry work.

The concern about the effect on husbandry led to one of the day's most surprising claims: Flaherty Clark testified that she thinks a whale that died of an illness last year might have been saved if trainers had been working with the animal in the water. She said trainers might then have noticed sluggishness or other aberrant behavior in the whale, a 25-year-old female named Kalina, even before it was diagnosed by veterinarians and before it had progressed to a point beyond saving the animal.

"We would have picked up on it if we'd been in the water with her," said Flaherty Clark, who choked up while discussing the whale. "I think we might not have lost Kalina if we were able to be as close with her today as we were on Feb. 23rd."


Labels: , ,

Saturday, September 17, 2011

New OSHA Directive Tackles Workplace Violence Concerns

In the last 15 years, deaths resulting from workplace violence have ranked among the top four causes of occupational fatalities in American workplaces. In response to this serious threat to worker safety, OSHA released a new compliance directive on Sept. 8 that offers procedures for agency staff who respond to workplace violence cases or complaints.

The directive, Enforcement Procedures for Investigating or Inspecting Incidents of Workplace Violence, also establishes procedures for conducting inspections in industries such as late-night retail workplaces and health care and social service settings, which may be at a higher risk of workplace violence. A new Web page that focuses on preventing workplace violence offers additional help to employers working to address workplace violence issues.

“Research has identified factors that may increase the risk of violence at worksites,” the directive states. “Such factors include working with the public or volatile, unstable people. Working alone or in isolated areas may also contribute to the potential for violence. Handling money and valuables, providing services and care, and working where alcohol is served may also impact the likelihood of violence. Additionally, time of day and location of work, such as working late at night or in areas with high crime rates, are also risk factors that should be considered when addressing issues of workplace violence.”

More than 3,000 people died from workplace homicide between 2006 and 2010, according to the Bureau of Labor Statistics (BLS). Additional BLS data indicate that an average of more than 15,000 nonfatal workplace injury cases was reported annually during this time.

Taking Precautions, Protecting Workers

A recent OSHA inspection of a Maine psychiatric hospital found more than 90 instances in which workers were assaulted on the job by patients from 2008 through 2010. OSHA cited the hospital for not providing its workers with adequate safeguards against workplace violence and proposed a fine of more than $6,000. The agency also has recently cited facilities in New York and Massachusetts where employees have been killed as a result of assaults.

“These incidents, and others like them, can be avoided or decreased if employers take appropriate precautions to protect their workers,” said OSHA Administrator Dr. David Michaels.

Studies by the National Institute for Occupational Safety and Health and other organizations show that employers who implement effective safety measures can reduce the incidence of workplace violence. These measures include training employees on workplace violence, encouraging employees to report assaults or threats and conducting workplace violence hazard analyses. Other methods, such as using entrance door detectors or buzzer systems in retail establishments and providing adequately trained staff, alarms and employee “safe rooms” for use during emergencies in health care settings, can help minimize risk.

This article was originally posted at http://ehstoday.com/standards/osha/OSHA-workplace-violence-directive-0913/

Labels: , ,

Monday, September 12, 2011

Regulatory Healthcare Entities Look for HIPAA Compliance Improvements

As many healthcare providers begin using new technology to streamline practices, lower expenditure and improve efficiency, regulatory compliance procedures become more complex. In the healthcare industry, HIPAA compliance is among the most important standards to meet, and regulatory entities have recently increased audits and general contingency checks, Mlive reports.

According to the source, the U.S. Department of Health and Human Services published a self-evaluation resource in conjunction with the American Health Lawyers Association to aid directors of medical facilities and organizations.

Recovery audit contractors who inspect Medicare claims have been increasingly employed by the Centers for Medicare and Medicaid Services to broaden its audit capabilities and inspection policies, the source adds. This strengthening of auditory practices necessitates consistent and thorough checks of compliance practices and security policies.

Since the advent of HIPAA compliance(health care compliance) and its later counterpart, the HITECH Act, new technology such as cloud computing has assisted heathcare providers with tools to comply and receive incentives for implementation and proper use of electronic health records. According to the CMS, for example, the Medicare meaningful use program offers up to $44,000 to medical professionals who meet requirements.

This article was originally posted at http://www.proofpoint.com/news-and-events/security-compliance-and-cloud-news/articles/regulatory-healthcare-entities-look-for-hipaa-compliance-improvements-800590637

Labels: , ,

Bolstering Security Education

Many security managers say end-user education is a central part of IT security. More regulations are also requiring that organizations demonstrate that they’re conducting such training.

Increasingly, organizations are looking to automated, Web-based educational solutions. Pemco Insurance, located in Seattle, implemented a solution from the vendor Cosaint several years ago. Pemco wanted a way to bolster employee security education in a manner that would reduce administrative costs, says Marc Menninger, security manager. He also wanted a way to make security education easier and to have access to reports on education to show auditors, he says.

One reason Pemco chose Cosaint was its wealth of information security courses, which range from “mobile device security” and “information retention and destruction” to “avoiding identity theft.”

Most lessons are presented in easy-to-follow PowerPoint presentations, he says. Menninger also says he found Cosaint easy to use and relatively low-priced.

Setting up the solution mainly entailed creating a core Pemco information security module, Menninger says. During the implementation process, which involved taking Cosaint material and tailoring it towards Pemco’s policies and needs, Pemco received considerable assistance from the vendor, he says.

Much of the material was aimed at teaching employees to develop strong passwords and to avoid phishing e-mails, which can contain malicious links or attachments. One goal in creating and editing the new module was to make sure the material would be at a fairly high level, he says. At the same time, he didn’t want the lessons to be too onerous or time-consuming. Pemco didn’t have to install any software or browser plug-ins to use Cosaint, Menninger says.

Menninger e-mails employees to tell them they need to review and electronically sign the security policy module. Menninger can then track who has taken courses; the system automatically sends out reminder e-mails to employees who have yet to take them.

Menninger has been pleasantly surprised in recent years about how many employees have taken advantage of Cosaint’s numerous security courses, most of which Pemco makes optional.

Students can take a quiz after each lesson and then receive a certificate showing how well they scored. Menninger occasionally sees certificates displayed in employee work spaces, he says. Some employees may be particularly interested in security, he says, or may enjoy the challenge of the tests.

Educating users about the dangers of phishing messages may be one of Cosaint’s primary security benefits. Phishing security is heavily emphasized in Pemco’s security policy and in Cosaint’s available material.

Pemco has started using Cosaint for additional professional education in recent years, covering both security and nonsecurity related subjects. In one example, a manager wanted to educate certain staff about IT change-management procedures and policies, Menninger says. Working with Cosaint, Pemco developed an educational module that could be accessed along with other Cosaint lessons. “It worked out well for [the manager].”

The Web-based training system has reduced paperwork and administrative costs, including the need for in-person security training, Menninger says. In addition, automatically generated reports have created a convenient way to demonstrate Pemco’s training to auditors.

Many technological security solutions are far more expensive than what Cosaint offers, Menninger says. He adds that the product’s modest cost, breadth of material, and strong customer service help make it “one of the most economical security systems we have.”

This article was originally posted at  http://securitymanagement.com/article/bolstering-security-education-008957?page=0%2C1

Labels: , , ,

Monday, September 5, 2011

How to Evaluate a HIPAA Security Compliant Data Center

If you host your healthcare data with a data center, certain administrative, physical and technical safeguards should be in place, as defined by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Although all service providers tout their data centers as secure, how do you confirm it truly is HIPAA Security Rule compliant

HIPAA sets the standard for protecting sensitive patient data. Under HIPAA there are two designations, Covered Entity and Business Associate. The Covered Entity being the provider of medical care or any entity that transmits EPHI. The Business Associate is any entity that provides services for a Covered Entity that may involve EPHI. The Health Information Technology and Economic Clinical Act (HITECH) was enacted in 2009 and raised the stakes for Business Associates in compliance to HIPAA basically putting them on par with Covered Entities. By managing servers containing EPHI, the data center hosting company is considered a Business Associate and must ensure all the required physical, network and process security measures are in place and followed.

The Minimum Safeguards

When evaluating providers, the following safeguards must be in place:

•    Physical safeguards - include limited facility access and control, with authorized access in place. All covered entities, or business associates, must have policies about use and access to workstations and electronic media. This requirement includes transferring, removing, disposing and re-using electronic media and EPHI.
•    Technical safeguards - require access control to allow only authorized personnel to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.
•    Audit reports (or tracking logs) - must be implemented to keep records of activity on hardware and software. This procedure is especially useful to pinpoint the source or cause of any security violations.  Solution providers should keep very detailed records in their building monitoring system, down to the second when somebody accessed a badge reader on a door.
•    Technical policies - should also cover integrity controls, or measures put in place to confirm that EPHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are keys to ensure any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.  A HIPAA security compliant data center must ensure crucial healthcare data it handles for providers and insurers will be safe and protected in the event of a disaster.
•    Network, or transmission, security - is the last technical safeguard required of HIPAA security compliant hosts to protect against unauthorized public access of PHI. This requirement covers all methods of transmitting data, including email, Internet, or even over a private cloud network.

Turn to Audit Reports

The rapid adoption of healthcare technology and applications such as Electronic Health Records creates new challenges for Healthcare IT planners as they must undergo costly upgrades to ensure HIPAA security compliance. Outsourcing data storage to data center hosting companies can be a cost effective alternative.  The best way to evaluate the required security is in place is to review the data center’s SAS-70 (recently changed to SSAE 16) and PCI-DSS audit reports.  The audit reports should specifically cover the processes for the data center’s physical security, network security and access control to the data on the server.

A SAS-70 (statement of auditing standards) designation confirms the data center complies with established auditing controls.  The audit is conducted by an independent, third-party CPA. SAS-70 certification includes two types of audit reports:

•    Type I – The first step in the auditing process evaluates the organization’s description of their internal controls.

•    Type II – Includes the Type I report and it evaluates how the controls were operating from when the Type I audit was first conducted to six months thereafter. 

The final deliverable for the audit is commonly called the SAS 70 Service Auditor’s Report, a lengthy document which contains a multitude of information regarding the service organization, its overall control structure, framework, test of controls (if a Type II audit), along with adjunct and supporting documentation, such as the Independent Accountant (or Service Auditor’s) Report, possible exceptions noted during testing, and any additional information provided by the service organization.

Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. The standards were created to prevent card holder fraud which is critical as more patients pay by credit cards. The following table shows the requirements:

Control Objectives
PCI DSS Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security

The Staggering Price of Non-Compliance

The HIPAA Security Rule went into effect in 2005 but its enforcement and the financial impact of violations have been hard to pinpoint in the past.  The HITECH act of 2009 changed that and recent cases show violations can be expensive.

Massachusetts General Hospital discovered Health and Human Services is getting serious about HIPAA violations. The hospital agreed to pay the $1 million to settle potential HIPAA violations.  Massachusetts General’s case involved the loss of electronic protected health information (EPHI) of 192 patients.  The loss works out to over $5000 per record.

Healthcare organizations must ensure their data centers meet the guidelines for the HIPAA Security Rule and have the required safeguards in place.  Although there is no widely accepted HIPAA Security certification program, the SAS-70/PCI-DSS certifications exceed the HIPAA security safeguard requirements and can help demonstrate compliance.  Staying well informed of regulatory changes will help meet requirements and avoid expensive penalties.

This article was originally posted at  http://www.healthcareitnews.com/blog/how-evaluate-hipaa-security-compliant-data-center

Labels: , , ,