Last week, researchers and Bachelor's students from the University of Twente investigated whether an escape room simulation of a cyber attack could contribute to increasing cybersecurity awareness. The participants were staff of healthcare facilities in the Twente and eastern Achterhoek regions. Initial results show that the escape room increases cybersecurity awareness among healthcare workers: for instance, participants say they are more alert to phishing, installing software updates promptly, and the use of strong passwords.
The escape room was organised by Acute Zorg Euregio (AZE), a regional network of organisations involved in acute care – i.e. care that must be delivered within minutes or hours in order to prevent a patient from dying or incurring permanent damage to their health, for instance following a serious accident. A cybersecurity incident, such as a ransomware attack, can jeopardise the delivery of such care. So it is crucial that healthcare workers are aware of potential cyber risks and know what to do in the event of a cyber crisis.
The escape room took place in a converted trailer, the so-called cybertruck. The objective of the cybertruck was to create and increase cybersecurity awareness among healthcare workers by means of an interactive game. Participants were given the mission to stop an active hacker. In doing so, they encountered various elements of cybersecurity: for example, they found an unidentified USB stick. The point was not to plug the stick in, because that would represent an infection risk for the computer. The students observed what the healthcare workers did in the escape room. Afterwards, the workers gave feedback in a debriefing session about how this knowledge might be applied in their organisations.
UT researchers Jan-Willem Bullee and Luka Koning (Faculty of Behavioural, Management and Social Sciences): "Many interventions have been developed to increase cyber resilience, but they are often not backed up by proper research. And if an effect is studied, there is often no monitoring of whether the effect persists in the longer term, and if so for how long. We aim to answer those questions by taking multiple measurements before and after the cybertruck experiment. The results give us an insight into how best to arm healthcare workers against cyber risks. Ultimately, that can prevent major incidents, such as the organisation being paralysed by ransomware. An incident like that can sometimes start with a simple phishing e-mail."
“With over two hundred participants, we can look back on a successful training event”, says Robin Schär, policy adviser for Crisis Management and Courses, Training & Exercises at AZE. "One of our conclusions is that while the security of the technical infrastructure may be optimal, human actions remain decisive to the success of that security." Schär advises care organisations to convert awareness into safe behaviour: involve every employee and keep practising. "We are very interested to see the results of the UT study later this year."
The cybertruck was developed for the Brabant Acute Care Network, AZE's sister organisation in Noord-Brabant. Participating in the sessions in Enschede and Winterswijk on 3, 4 and 5 October 2023 were AZE chain partners including the MST, ZGT and SKB hospitals, the municipal health services (GGD), GPs and mental healthcare institutions.
Photo: f.l.t.r. UT student Luuk Spelbos, AZE- policy advisor Robin Schär and the gamemaster of the cybertruck.