Why healthcare workers ignore your security policy (and you pay the price)
Posted by
Rob Veen
When healthcare staff violate security rules (such as sharing passwords or using WhatsApp for patient photos), this is often a symptom of unworkable IT policy ('Shadow IT'). Although organizations often think the employee is at fault, the legal reality is different. The Dutch Data Protection Authority fines the organization (the controller), not the individual. Recovering damages from the employee is, under Article 7:661 of the Dutch Civil Code, virtually impossible unless there is intent or deliberate recklessness. An internal NEN 7510 audit should therefore not only test knowledge of the rules, but above all whether they are workable.
Walk into any hospital ward and look around carefully.
There is a good chance you will see a sticky note stuck to a monitor somewhere. Maybe not a password, but an extension number or a login code for the medication cabinet. Watch how a doctor logs in: does he really type in a complex 14-character password, or does he use a colleague's badge who is already logged in because that saves 30 seconds?
As a CISO or executive, your first reaction is probably frustration. "We trained them! They signed the code of conduct! Why don't they understand?"
Stop thinking that way.
Your staff are not unwilling. They are pragmatic. Their primary task is: helping patients. If your NEN 7510 policy gets in the way of that task, care wins. Always.
In this article, we reverse the roles. We do not look at how we can "train staff better," but at the legal reality of unworkable policy.
The Legal Reality: Who Is Really Liable?
Many executives live with the assumption that they are covered by a confidentiality agreement and a strict IT policy. "If Pietje shares his password, it's his fault."
Here we must make a sharp distinction between external fines and internal liability.
1. The external bill (Dutch Data Protection Authority)
The AP enforces against the Controller. That is the healthcare organization. If a nurse leaks data because of an error, the organization gets the fine. You cannot tell the AP: "Send the invoice to the employee." You should have taken organizational measures to prevent the error.
2. The internal damage (Employment law)
Can you recover that damage from the employee?
As a rule: No.
According to Article 7:661 of the Dutch Civil Code, the employee is not liable for damage caused during work, unless there is intent or conscious recklessness.
The threshold for "conscious recklessness" is extremely high in case law.
Situation A: A nurse shares her password with a substitute because otherwise the substitute cannot access the record of an acute patient.
Assessment: Probably not recklessness. The employee acted in the patient's interest (conflict of duties) and the employer did not have account management in order.
Situation B: A doctor uses WhatsApp for a 'second opinion'.
Assessment: If the employer does not provide a workable, secure alternative, a judge will rarely rule that the doctor is liable for the data breach. The doctor's duty of care (providing proper care) carries significant weight.
Conclusion: You cannot shift responsibility to the work floor. If your security is not workable, the failure of that security is your risk.
The 3 Causes of 'Shadow IT' (Friction = Risk)
Why do those sticky notes and shared accounts happen? Not because of laziness, but because of friction.
In the NEN 7510 audit, the question is often: "Is there a policy?"
The real question should be: "Is the policy workable on the night shift?"
1. Password Fatigue vs. Acute Care
A healthcare worker logs in dozens of times per day.
The Policy: "Complex passwords, change every 90 days, automatic logoff after 5 minutes."
The Reality: This slows the care process too much.
The Workaround: Doctors do not log out, or they use each other's session. In a resuscitation setting, waiting 2 minutes for Windows is not an option.
2. The WhatsApp Trap (Communication)
Care is teamwork. Photos and quick consultation are essential.
The Policy: "Do not use private apps."
The Reality: The organization only offers slow email or an awkward EHR module.
The Risk: Everyone switches to WhatsApp. Although the app itself is encrypted, the management does not comply with the GDPR (metadata storage in the U.S., no data processing agreement, address book sharing). As an organization, you lose control over where patient data is stored.
3. The Substitute Chaos
Healthcare relies on temporary workers and self-employed contractors.
The Policy: "Account requests take 5 business days."
The Reality: The contractor is called today to work tomorrow.
The Workaround: The department manager gives the login details of a sick colleague.
The Result: NEN 7513 (logging) has become worthless, because you no longer know who was actually behind the controls.
The AuditDirect Approach: Stop Preaching, Start Solving
A traditional internal audit states: "Employees share passwords. Wrong."
Next, you organize an "Awareness Training." Everyone agrees, and the next day they do exactly the same thing because the problem (lack of time) has not been solved.
At AuditDirect, we do not believe in treating symptoms. We audit the cause.
The "Gemba Walk" Audit
We conduct our audits on the work floor (the 'Gemba'). We observe.
How often does a nurse have to log in?
Why do people choose WhatsApp?
What happens when the printer jams?
If we find a workaround, we do not punish. We ask: "Why is this necessary?"
Technical Solutions for Cultural Problems
Often the solution is not "more rules," but "better technology."
Identity & Access Management (SSO):
Replace typing with proximity badges. Badge against the reader + PIN = inside in 2 seconds. This solves the "open session" risks without frustration.Enable Secure Messaging:
Offer a secure alternative that works just as well as WhatsApp (such as Siilo, Smartpaging or BeterDichtbij). If the secure option is easy, use of the insecure option stops on its own.The "Break-Glass" Account:
Acknowledge that emergencies exist. Create an emergency procedure that allows access to the record without an account, while logging and alerting this access. This prevents preemptively sharing passwords "just in case."
Compliance Audit vs. Reality Audit
Audit Aspect | The Paper Audit (Traditional) | The Reality Audit (AuditDirect) |
Passwords | "Is there a password policy?" | "How many minutes per day does care lose to logging in?" |
Behavior | "Have the codes of conduct been signed?" | "Which 'workarounds' are necessary to deliver care?" |
Solution | "More training and rules." | "Better UX (User Experience) and technology (SSO)." |
Focus | "The employee makes a mistake." | "The process does not adequately support the employee." |
Glossary
Workaround: An informal way of bypassing an obstacle in the official process. In IT security, often a sign of poor process design, not unwillingness.
Shadow IT: The use of software (such as WhatsApp, personal laptops) without management by the IT department.
Intent / Conscious Recklessness: The legal lower threshold (Art. 7:661 Dutch Civil Code) for recovering damage from an employee. This requires that the employee knew that damage would occur and accepted that risk. A "stupid mistake" rarely falls under this.
Privacy by Design (as UX): Build security in so that it is the default, easiest option.
Security Is Service
A NEN 7510 certificate that relies on unworkable rules is a house of cards. At the first crisis, it collapses. Your staff want to provide safe care. They simply do not want security to slow them down.
As an executive, you are legally and financially responsible. Do you choose a paper reality, or a workable practice?
Would you like an internal audit that does not point fingers, but helps reconcile security and practicality?
Frequently Asked Questions about Personnel & Security
1. Is the employee liable in the event of a data breach?
In by far the vast majority of cases: No. The employer bears the business risk. Only in cases of demonstrable intent (data theft) or gross recklessness (ignoring specific behavior after repeated warnings) do you have a chance in court. A mistake due to time pressure or lack of knowledge is the company’s responsibility.
2. Can I ban WhatsApp?
As an organization, you may and must set rules for which tools are used for patient data. The Dutch Data Protection Authority states that you must remain in control of the data. In consumer apps such as WhatsApp, that control is lacking (metadata, storage location, administration). However, banning it only makes sense if you offer a workable alternative.
3. How do I handle freelancers and access?
Treat self-employed contractors the same as employees when it comes to security. Use an accelerated fast-track onboarding process for access. It is safer to give a contractor a temporary account with limited permissions than to let them use someone else’s account, because that removes your logging and audit trail.
Consulted Sources:
Civil Code (BW). Article 7:661 (Employee liability).
Personal Data Authority (AP). The human factor in security and oversight in the workplace. autoriteitpersoonsgegevens.nl
NEN 7510-1:2017 (Section 7: Human factors).
