Building a Culture of Security in Healthcare



Clinicians spend the vast majority of their time working hard to advance patient care—so when they’re approached with new security rules and regulations, perfect adherence likely won’t be at the top of their to-do list. As clinical staff go about their care coordination duties, it can be easy to use a personal device to reach a colleague, forget to log out of a device,  or to hold a normally secure door open for a visitor.

Security is everyone’s responsibility, however, it falls upon the information security team to mitigate and minimize risk to sensitive information, such as protected patient data or other hospital records. When your IT staff is coming up against a clinical workforce resistant to best security practices, there are several strategies you can employ to encourage adoption. We at ePlus like to think of these practices as fostering a workplace culture of good security. In this blog, we’ll explore the strategies we find most effective at establishing this mindset in colleagues.

1. Explain the Whys and the Wherefores

For healthcare workers, the patient is always the highest priority—so make sure you’re communicating how proper security measures can protect their patients. Remembering to log out of hospital devices like computers and smartphones is the best way to make sure unauthorized persons can’t view sensitive patient information. For secure units like the NICU, explain that holding open a secure door for someone without credentials could lead to patient harm.

By framing your hospital security practices as mitigating the risk to the patient, you are connecting the importance of these procedures with their patient care priorities.

2. Security Is Personal

Security practices shouldn’t seem like a chore—remind your colleagues that the security practices in the healthcare organization can also benefit them personally, outside an acute care setting. Physicians who have their own private practices can use similar guidelines in their own practices to mitigate any potential risk to protected information. Employees with children can better safeguard devices to avoid exposing their child’s information online.

Strong passwords and multi-factor authentication, for instance, don’t just benefit employees while they’re at work. They can help guard personal financial information and more from bad actors outside the hospital.

Probably the most misunderstood example of the balance between personal and professional security practices is the mobile device management system. When healthcare organizations ask employees to install an MDM on their personal smartphone, there can be quite a bit of pushback around privacy and remote control of the device. Namely, employees don’t want their IT department to be able to remotely wipe or view the contents of their phone whenever they want.

It’s a fair concern, but ask your colleagues to consider this function as a benefit. If they lost their phone outside of work hours and had sensitive information—maybe a banking application, or their email—on the device, it would be a huge headache to recover or remotely wipe the device through their service provider. But with the MDM, they can simply call up their organization’s IT team, any time of day or night, and have the device wiped instantly to prevent any loss of data. It’s like having their own personal security team on the case.

Beyond these tips, helping colleagues recognize phishing attempts and other malicious emails can also help them outside of work. Especially around the holidays, reminding employees to be skeptical of offers that seem “too good to be true” can help both your organization and your employees’ friends and family members. These common practices can help healthcare workers get into a habit of good security.

3. Be Realistic About Security Workflows

Often, it can be difficult to consistently adhere to security protocols because they become yet another task employees need to complete. Clinical workflows are already highly susceptible to bottlenecks and friction, and adding additional steps to ensure security can mean a difference of minutes in an emergent situation.

For this reason, be mindful of the protocols you’re establishing. There is a fine line between a robust security program and a draconian one that interferes with patient care. If possible, use your team’s resources to make following security protocols as easy as possible for your clinical colleagues.

Perhaps you invest in a password manager that suggests and stores strong passwords, or make a push for single sign-on for frequently used digital platforms. Set hospital-owned devices to log out after a set amount of time so that employees won’t be exposing the facility to risk if they forget to log out. Leverage MDM to automatically push software updates to devices to avoid any bugs or security gaps so that IT doesn’t need to track down these devices individually.

For physical security, provide clinicians with a script they can use when they see an unauthorized person attempting entry. For instance, they can offer to escort the visitor to the front desk or to their destination—this way, they will still be polite and helpful without creating a security hazard.

4. Leverage Security Advocates

As an IT team, remember that you’re not on an island. There are plenty of colleagues you can enlist to help you communicate good security messages to the rest of the organization.

First, identify a few security advocates—nurses, physicians and anyone else who interacts with healthcare workers and can provide additional context. Your advocates are necessary for converting any late adopters or skeptical employees, and for this reason they are so important for cultivating a culture of security. Make sure your information security staff is visible to your organization’s staff at all levels. Get to know the people you are working with and let them know you’re there to help. People are much more likely to follow the advice of people they can recognize than a protocol that comes to them in an email or policy. After training sessions or big presentations, your security advocates will be the ones having follow-up conversations with their colleagues to reinforce and elaborate on your message.

Second, recruit your organization’s legal and Risk Management teams to help you develop training materials and presentations. As a major influence on hospital governance, the legal team can provide healthcare workers with additional information and context around security procedures. When the message is coming from colleagues from multiple different departments and teams, employees are more likely to listen and adopt.

It’s not uncommon for healthcare organizations to be targeted by malicious actors. By fostering a culture where security is robust and ubiquitous throughout the organization, you can help your organization mitigate risk and better protect patient information.

ePlus provides world-class security posture assessments, products and technologies, consulting, integration and ongoing operational services. Visit us at:

Ken Puffer, CTO

Ken Puffer is the Healthcare CTO at ePlus Technology, and has two decades of experience providing information technology solutions to healthcare organizations at every level. Learn more about ePlus Technology solutions by visiting

Suggested for You