Threat Profile: Healthcare Worker
As a doctor, psychologist, or social worker you have legal obligations around patient data and professional secrecy. How do you protect patient data and communicate securely in healthcare?
Threat Profile: Healthcare Worker
This profile is for doctors, nurses, psychologists, therapists, social workers, and others who work with patient data. The healthcare sector is a primary target for cybercriminals — and your obligations go beyond technical measures alone.
Legal framework
Medical professional secrecy Your duty of confidentiality is legally protected. Patient data may not be shared without consent — not with family, not with colleagues not involved in the treatment. The specifics vary by jurisdiction, but the principle is universal in professional healthcare ethics.
Data protection law (GDPR in Europe) Health data is a special category — the highest level of data protection. Data breaches must be reported to the relevant supervisory authority within 72 hours, and under certain circumstances to the affected individuals as well.
Sector-specific standards In the Netherlands: NEN 7510 (information security in healthcare) is effectively mandatory for healthcare organisations. In other countries, similar standards apply (ISO 27001/27799, HIPAA in the US).
Regulatory oversight Healthcare regulators can take enforcement action after incidents. Data breaches at healthcare providers are taken seriously.
Threat analysis
Ransomware is the primary threat Hospitals and healthcare organisations are disproportionately targeted by ransomware. Dutch hospitals have been hit (OLVG, Maastricht UMC). Criminals know that hospitals cannot wait — treatments continue, systems need to be available quickly. They demand higher ransoms and receive payment more often than in other sectors.
High value of patient data Medical records are worth more on black markets than credit card data. They contain names, national ID numbers, insurance data, medication history — enough for years of identity fraud.
The human link Phishing targeting healthcare workers is a primary attack vector. A fake email from “the EMR system” or “IT support” can be convincing in a busy clinical environment.
Checklist
Work devices
- Use only approved devices for patient data — never a personal phone without encryption
- Auto-lock after short inactivity — an unattended screen showing patient data is a data breach
- Log in with your own account, never a shared account — accountability requires traceability
- Use your organisation’s VPN when accessing EMR systems remotely
Communication
- WhatsApp is not suitable for patient-related communication — this is a common mistake in healthcare
- Use systems your organisation has approved for patient communication
- For external parties: encrypted email or a secure portal
- Don’t discuss patient data in public spaces — waiting rooms, lifts, the cafeteria
Passwords and access
- Unique password per system — a compromised EMR account shouldn’t cascade to email
- 2FA wherever the system supports it
- Revoke access immediately when someone leaves — this frequently goes wrong
Data breaches
- Know what the reporting process is within your organisation
- A misdirected email containing patient data is already a reportable breach
- Also report near-misses — it helps the organisation recognise patterns
Communication with patients
Patients sometimes send sensitive information via email or WhatsApp — diagnoses, medication lists, results. How do you handle this?
- Establish clearly which channel your organisation uses for patient communication
- Never send medical information back via an unsecured channel just because a patient used one
- Actively direct patients to secure alternatives (patient portals, approved messaging apps)
Independent healthcare practitioners
If you work outside an organisation, the same rules apply — but you’re responsible for implementation yourself:
- Encrypted device (BitLocker on Windows, FileVault on Mac)
- Separate encrypted storage for patient records — not on your personal desktop
- Consider GDPR-compliant cloud storage (Proton Drive, Tresorit) for patient records
- Understand the breach reporting obligation — as the data controller, you’re the contact point
Tools
| Purpose | Tool | Note |
|---|---|---|
| Password manager | Bitwarden / KeePassXC | KeePassXC for offline, Bitwarden for teams |
| Encrypted storage | Proton Drive / Tresorit | GDPR-compliant, EU servers |
| 2FA | Aegis Authenticator | Offline, open source |
| Secure email | Proton Mail | For external communication |
See also:
- Threat Profile: Small Business — data protection obligations for independents
- Bitwarden Review — password management for the practice
- KeePassXC Review — offline alternative
- Proton Drive Review — GDPR-compliant storage