A new dissertation argues that patient data protection depends on aligning technology, staff behavior, and organizational processes.
A doctoral dissertation published by the University of Vaasa concludes that healthcare cybersecurity will remain fragile unless human behavior, technology, and organizational routines are treated as a single system. Researcher Pius Ewoh examined cybersecurity practices in healthcare settings and found that technical controls alone are insufficient to prevent breaches. His work discusses how staff training gaps, inconsistent processes, and legacy systems combine to create persistent exposure, even in digitally mature healthcare environments.
Ewoh’s research focused on socio-technical risk rather than software vulnerabilities alone. He found that everyday actions, such as responding to phishing messages, using non-standard applications, or working around unclear procedures, often introduce more risk than system flaws. These behaviors become more dangerous when paired with outdated infrastructure or third-party tools that lack consistent security oversight. The study also noted that regulatory compliance does not automatically translate into resilience, particularly when policies are poorly communicated or when audits are infrequent. Even in Finland, which is considered advanced in healthcare cybersecurity, gaps remain around legacy systems and external applications.
In the dissertation, Ewoh and co-authors wrote that the study “confirmed the 3 factors of vulnerabilities to cyberattacks (technology, humans, and processes) from the lens of the sociotechnical systems theory in health care systems.” The research noted that human-related risks often stem from routine behavior, stating that “insiders can introduce threats and vulnerabilities through inadvertent actions, such as inappropriate behavior, clicking phishing links, and falling victim to cyber threats.” The authors also pointed to training gaps, writing that “health care cybersecurity training implementations are largely misdirected,” with a focus on IT staff while “neglecting health care–based professionals,” a gap they said contributes to ongoing exposure in clinical environments.
Ewoh’s conclusions align with findings from other recent healthcare security research that point to people and process failures as the primary drivers of risk. A 2024 peer-reviewed study published in Computers & Security found that many healthcare incidents stem from routine operational behavior rather than advanced technical attacks. The authors wrote that “human and organizational factors remain a dominant cause of security incidents in healthcare environments,” citing misconfigured systems, inconsistent access controls, and everyday handling errors as recurring contributors. The study says that security breakdowns often occur when staff are working under pressure, using workarounds, or dealing with unclear procedures, reinforcing the idea that cybersecurity resilience depends as much on organizational discipline and training as it does on technology.
A Paubox SMB report points out that not all healthcare data risk comes from external attackers. Internal actors, whether through negligence or the misuse of legitimate access, continue to contribute to patient data exposure. The report found that more than half of insider fraud incidents in healthcare involve employees stealing customer data they were already authorized to access. It also noted growing concern among IT teams, with 82% of healthcare IT leaders saying alert fatigue increases the risk that staff will miss a warning or bypass a security step. Even basic mistakes can carry consequences. Paubox cited cases where something as simple as emailing unencrypted PHI to the wrong recipient resulted in OCR fines and corrective action plans, proving how operational strain can turn routine errors into reportable incidents.
Healthcare staff interact constantly with email, patient records, and third-party systems, which increases exposure to phishing, misdirected data, and access errors.
Compliance helps establish baseline controls, but it does not address behavioural risks or process failures that often lead to breaches.
It is an approach that assesses security across human behaviour, organisational processes, and technical systems as interconnected components.
Older systems may lack security updates, modern authentication controls, or compatibility with newer monitoring tools.
They can increase staff training, conduct regular audits, clarify policies, improve communication between departments, and assess third-party applications more rigorously.