Cyber hygiene
IT & Securityarticle · 7 min · updated Jul 17, 2026

Cyber hygiene

By Rajendra Sharma, RN, CPC, CPBReviewed by Rajendra Sharma, RN, CPC, CPB · Jul 17, 2026

The unglamorous basics that prevent most breaches — and why every one of them fails in a hospital for the same reason: the safe path was slower than the work allowed.

In one line

Most breaches are not sophisticated. They are a default password, an unpatched box, a phished credential, or an over-privileged account — and the basics that would stop them are well known, cheap, and routinely defeated by how hospitals actually work.

The basics, honestly listed

  • Patch. Most exploited vulnerabilities have had a fix available for months.
  • MFA. Kills the overwhelming majority of credential attacks.
  • Least privilege. Then verify it, because it's granted and never checked.
  • Remove leavers. And moversthe transfer nobody revokes.
  • No shared accounts. They destroy every audit trail.
  • Inventory. You cannot protect what you don't know exists.
  • Tested backups, immutable.
  • Encrypt in transit, always.
  • Segment the networkespecially the devices.

None of that is clever. All of it works. Nearly every hospital is failing at several.

Why it fails here specifically

This is the part security training skips, and it's the whole explanation.

Every basic above has a workflow cost, and in a hospital that cost is paid in a currency that is already exhausted:

  • MFA means finding a phone in a pocket, under a gown, with gloves on, at 3am.
  • Individual logins mean 40 seconds at a shared ward terminal, twelve times an hour, while patients wait.
  • Least privilege means a locked door at the moment the answer is needed.
  • Patching means downtime, and there is no good time to reboot a system a ward depends on.

So people work around them. The shared login. The taped-up password. The photocopied wristband barcodes — the same workaround the nursing lab teaches as a safety failure, and it has the same root cause.

Here is the sentence that matters: a workaround is a design failure with a person's name attached to it.

The nurse using wardnurse / password123 is not careless. She is rational. The safe path was slower than the work allowed, and she chose the patients. She is right, and the system is wrong — and every awareness poster in the building is an attempt to solve an engineering problem with guilt.

What actually works

Stop trying to make people slower. Make the safe path the fast path:

  • Badge tap + PIN instead of a typed password. Sub-second. The shared account disappears on its own, because nobody wants it any more.
  • Session roaming — pick up your session at the next workstation instead of logging in again.
  • Context-aware MFA — don't re-challenge inside the ward on a known device; challenge hard from an unknown network.
  • Patch windows negotiated with clinical leads, not imposed by IT at a time that suits IT.
  • Make reporting safe. If people are punished for reporting a click on a phishing link, you learn nothing — the same blameless logic that patient safety culture arrived at independently, decades earlier.

Phishing, briefly

The main door in. And the health-specific angle: the lure works because it exploits professionalism — "urgent: patient results attached", "your registration is expiring". A clinician clicking that is doing their job.

So the useful measure is not the click rate. It's the report rate, and how fast. Someone who clicks and reports in thirty seconds has given you a defensible position. A culture where they say nothing for a day out of embarrassment has given you a breach.

The honest summary

Cyber hygiene isn't hard to know. It's hard to live, in a building where the work is urgent and the security was designed by someone who has never been eleven minutes behind on a drug round.

If you build health software, that's your problem to solve — not the nurse's.

References

  1. NCSC — 10 Steps to Cyber Security
  2. CISA — Cyber Essentials
  3. NIST — Cybersecurity Framework 2.0

Related entries