Healthcare and the cyber risk of having a high staff turnover

Residential care providers reported the highest levels of turnover with a third of staff leaving their roles within a twelve-month period (2019-2020).

This does not just cause a crisis in terms of patient care but could also contribute to a cyber incident as well.

Photo of care working taking blood pressure of elderly lady

What type of cyber incident?

- Data breaches - where ex-employees can still access patient records

- Data compromise - whereby cyber criminals could use old accounts to gain entry to systems and potentially steal, change, or delete data


How does it happen?

Staff need to be able to access patient data for them to care effectively for their charges. But what happens to that access when a member of staff leaves, or they change roles and no longer need that same access that they had?

Photo of storage door with text "This door blocked"

If permissions are not removed, then the employee could still access this data, even after they have left the company, leading to a data breach. And although this might not cause any problems as the employee never tries to access the data, what happens if the ex-employee is disgruntled and wants to do something to bring your company into disrepute?


If that employee has weak passwords, such as using the same password across multiple sites, and this password becomes known to criminals through a data breach at a different company, then that criminal might try the same credentials in your network. If it is an old account, you might not have implemented new security controls or be away of the new activity.

Photo of people discussing a paper between two laptops

What can you do?

- Have a clear policy outlining what happens when a staff member leaves or changed role. This needs to be shared with both IT and HR with a clear communication channel between these departments being essential. You don’t want to have IT notified two weeks after a person leaves your employment, that’s two weeks of access that they shouldn’t have.

- Enable Two Factor Authentication (2FA). 2FA means that even if someone leaves, some else can’t use those details to access your system as they won’t have your employee’s second verification factor. If you want to know more about 2FA, watch our short video.

- Speak to your staff about the expectations that you have for cyber security – such as not reusing passwords or using your company email for personal accounts. Show them haveibeenpwned.com and get everyone to check their current compromise. We offer affordable staff awareness training, tailored to your company, through our local university students, who are trained and mentored by senior ethical hackers. Just contact us for a free no obligation quote.

- Have internal logging so you know what normal looks like you’re your users and can be aware of any odd activity. If you haven’t got anything currently consider using the National Cyber Security Centre’s Logging Made Easy (LME). LME is an open-source project, hosted on the NCSC's github page. It provides a practical way to set up basic end-to-end Windows monitoring of your IT estate.


Further guidance & support

The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.


You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.


We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.



The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.