Healthcare, multi-site hospital network, ~8,000 staff

Awareness programme for a regional hospital network

Redesign of a hospital network's security awareness programme around clinical-context scenarios and workflow-compatible controls.

The client is a regional hospital network operating three acute-care sites and a network of outpatient clinics. Their existing awareness programme was a generic enterprise-style curriculum that clinical staff found irrelevant and difficult to complete within constrained ward time.

Our scope covered curriculum redesign, scenario authoring with clinical-informatics input, simulation programme design calibrated to clinical workflow, and tabletop exercises for the clinical-IT incident-response team.

The most material design constraint was completion time. Clinical staff have minutes — not tens of minutes — to complete training during ward time. Modules over five minutes are completed at home if at all; modules under three minutes have measurable completion rates above 90%.

We redesigned the curriculum around two-to-four minute modules, each focused on a single behavioural change, with clinical-context scenarios authored in collaboration with the network's informatics team. Completion rates moved from 47% (the prior curriculum's twelve-month average) to 91% (six months post-launch). Reporting-rate on simulated phishing campaigns moved from 8% to 34% over the same period.

Outcome

Completion rate up from 47% to 91%; reporting-rate up from 8% to 34%; ongoing annual review engagement.