Habits can be hard to break; we get it. Especially when they’re habits we’ve developed at work. We can’t blame clinicians for these bad habits though. They’re just taking on actions that they’re seeing. Some poor habits can develop over time, especially with the demands that come with patient-care and constantly changing healthcare regulations. These poor security habits can lead to a patient data breach incident.

One thing is for sure; you don’t want to leave any patient data exposed―ever. Some of your employee’s habits might be leaving patient data exposed. This is likely unintentional, but we don’t want to see this happen to you. If you were a patient, you wouldn’t want your information left available to any prying hands.

According to this HIPAA journal article, 2016 was a particularly painful year for healthcare data breaches with more than 16 million records being exposed. Most of these, happening in health provider settings.

Here are some of the top bad habits:

1) Leaving workstations unlocked can lead to patient data breach.

We get it; locking your workstation every 10 minutes can be a pain, especially if you’re just grabbing a patient file, or stepping into the other room for a minute. A minute, however, is all it takes for someone with ill-intentions to get what they need, or glance at your workstation screen. IT administrators can set workstations to lock after a few seconds of inactivity, though the length of time will depend on your organization’s needs. Getting into the practice of locking workstations all the time, modeling the good behavior. And not being afraid to remind people if they forget will help keep workstations locked when they need to be. This is also a HIPAA violation that could result in fines. Make sure to lock workstations automatically when users leave.

2) Using an intranet that doesn’t require a password.

Many healthcare offices and hospitals are using legacy technology and systems that have never needed a password. While it can be a large change for clinicians to get into the habit of remembering and entering a password to access internal company information, it’s one that’s non-negotiable today.

3) Sharing passwords at busy workstations.

Just like the habit of leaving workstations unlocked, having a common password for a workstation that’s used by multiple clinicians is also a poor practice. Each user or clinician should have a unique password. And through training and communications (both in team meetings and written), you can reinforce any changes to their workflow.

4) Password requirements are too simple.

According to 2014 a survey completed by TeleSign, almost 3 out of 4 consumers use duplicate passwords—many of which have stayed the same for five years or more. In addition to passwords being unique to individuals use passphrases, upper and lowercase letters, numbers, and special characters. When IT administrators set up systems for frequent password changes, and communicators share the importance of strong passwords, it’s another layer of security we’re adding to protect our patient data.

5) Not having a clear communication policy.

Nurses, doctors, and other clinicians communicate via text messaging. Texting fits into their lives easily as they’re already texting their friends and loved ones, and it saves them from using a separate communications tool that doesn’t fit into their daily habits. Instead of trying to stop texting, there are technologies and apps you can use that help your clinicians get their jobs done while keeping patient data safe.

Are your clinicians using personal email because they forget their password for their company email? Or are they using other communications channels that don’t require a workstation login? These are all critical parameters to outline when setting up your communications policy. Spell it out – even if you think something is understood or common knowledge.

6) Skipping training.

We completely understand that patient care is your top priority. When it comes time for clinicians to receive training on new policies or a new system or piece of equipment, it can be hard to take time out of their already packed day. Training on policies and systems that all help protect patient data, in the end, should be non-negotiable. To make training easier for everyone to attend, you can consider some training options that don’t involve a classroom―like on-demand learning, which teaches people how to use a particular piece of new software right where they’re using it. You can also explore printable guides and online learning.

When analyzing the habits that could be exposing PHI, we uncover uncomfortable truths about how people are handling data. As scary as it might be to do some digging, a patient data breach is much, much more terrifying. Learn more about good security system architecture.

Designing GateKeeper, Untethered Labs explored all of these bad habits and more to design a product that works in all the ways clinicians work ―with the common goal of keeping patient data secure. Login to your shared workstations and EHRs with lightning speed and auto-lock workstations when clinicians leave.