OSF HealthCare trades in legacy SAT solutions for personalized training with Dune Security

About OSF HealthCare

OSF HealthCare is a leading integrated health system headquartered in Peoria, Illinois. With 17 hospitals, 25,000+ employees, and over 150 care locations across Illinois and Michigan, the organization manages extensive patient data and digital healthcare infrastructure while reporting annual revenue exceeding $3.5 billion.

• Key Microsoft and ICES integrations maintained during platform transition, including Phish Report button and Azure connectivity with minimal IT overhead

{{cta}}

Challenge

Traditional SAT solutions couldn't adapt to sophisticated threats across the diverse, high-stakes healthcare landscape

Managing cybersecurity across 17 hospitals is both highly complex and mission-critical. For Christopher Talcott, OSF HealthCare's CISO, every security decision impacts both data protection and patient care itself. Yet their legacy security awareness training (SAT) platform wasn’t evolving fast enough to keep pace with today’s attackers. 

"We had to customize a lot of our previous phishing simulations,” Christopher explains. “Some of them were so blatantly obvious that even our most casual users would catch it," leaving them largely unprepared for actual, sophisticated attacks.

The tool’s static approach to training only widened this gap. Every employee across the board received the same generic modules, meaning physicians saw identical content as front desk staff, despite facing completely different threats. While users who didn’t pass their security tests were re-enrolled, it was clear that the training itself was not having a meaningful impact. According to Robert Davis, OSF's Information Security Analyst, learning effectiveness remained low as users clicked through their required content without genuinely engaging.

Demonstrating measurable security progress wasn't optional for Christopher — or OSF's board. Recognizing a shift in attacks to focus on exploiting end users, the organization’s leadership needed a platform that could evolve with threats, provide meaningful risk insights, and show tangible improvements in user behavior, not just completion statistics.

On top of it all, their SAT vendor relationship had grown increasingly one-sided. Christopher made several requests but saw minimal product innovation, as new features were often locked behind expensive licensing upgrades. "Every quarter, they tempted us with updates — only to find out that we couldn't use them unless we upped our pricing plan," Christopher explains.

That's when Christopher began searching for something better. He needed a platform built for healthcare's unique challenges, one that could deliver adaptive training and meaningful risk insights through a genuine partnership — rather than a traditional vendor lock-in. 

/quote-1

Solution

Adaptive risk assessment and role-based training, fine-tuned to each user’s behavior

OSF partnered with Dune to overhaul their security awareness approach, moving from static training to role-based simulations tailored to healthcare. Rather than recycling dated security scenarios, Dune leveraged actual user insights to create adaptive training that continues to evolve with threats.

The team was hands-on and helpful from day one, conducting regular sessions with Robert and Lynn Nena, OSF's Enterprise Security Manager, to ensure smooth deployment and proper platform optimization. So when OSF requested to maintain their Microsoft Phish Report button during the transition — an impactful integration given the OSF team would not need to retrain users on how to use a new report phish button — Dune took action. As a result, the several integrations were seamless, well-documented, and required minimal IT lift from Robert’s team.

Dune then got to work on a baseline assessment, sending over 100,000 targeted simulations across OSF's workforce to gauge individual risk scores. With these results and the platform’s AI, Christopher’s team could finally spin up simulations tailored to specific healthcare roles. From front desk staff dealing with insurance scams to IT personnel with system access threats, this role-based approach replaced the "blatantly obvious" phishing scenarios that had undermined OSF’s previous training efforts.

The transformation to risk-based security awareness has also fundamentally changed how OSF manages user education. Dune's risk scoring provides granular visibility into security behaviors, opening the door to proactive interventions. "Now we can see which departments are vulnerable, and send tailored training accordingly," says Lynn. Plus, the platform automatically adjusts training frequency and difficulty based on performance — users with higher risk scores receive additional targeted simulations, while lower-risk users see reduced frequency.

For Christopher, Dune’s enhanced reporting capabilities have given him greater peace of mind when presenting to the board. "Tailoring our security training down to an individual level has really helped demonstrate the effectiveness of our investment," he shares. Instead of fluctuating percentages, he now provides comprehensive risk analyses that measure OSF’s progress. 

Best of all, OSF has found a true partner in Dune. One that listens, acts, and implements — with no quarterly delays or paywalls involved. When Christopher’s team requests new features, turnaround happens in days, not months. "We tell [Dune] that we need something and it's ready by the end of the week," he explains.

/quote-2

Results

OSF HealthCare moves from blanket simulations to tailored, engaging security training

With Dune, OSF HealthCare now delivers targeted security training that adapts to behaviors across their healthcare workforce. The security team can identify which departments pose the greatest risk, focus resources where they're actually needed, and demonstrate measurable progress to leadership, capabilities that were unheard of with their previous platform.

The numerical risk scores have opened new possibilities for user engagement, with Robert noting the potential for gamification, like quizzes, that could further lower users’ risk ratings. This represents a fundamental shift — from training being seen as a compliance burden to an engaging experience.

But Dune’s value extends beyond platform capabilities. With his participation in Dune's CISO Advisory Council, Christopher continues to provide ongoing product development input during regular roadmap meetings. "Dune is willing to share their roadmap and gather feedback from such a large group of customers,” he shares. “I haven't seen that kind of transparency from any company I've ever worked with.”

Looking ahead, OSF's future security plans now center around expansion rather than replacement. Microsoft Defender integration and advanced risk modeling are on the horizon — improvements that will build on their existing foundation with Dune.

/quote-3