In May 2025, the management of a private hospital in South-West Nigeria received a wake-up call. A dismissed staff member was caught remotely accessing some patient records weeks after his termination from the facility. The incident was contained and access revoked, but it highlighted a dangerous truth: there were no cybersecurity controls in place to protect the most sensitive part of the hospital's operations; patient data.
This is the story of how that hospital began its journey from zero security awareness to implementing basic, effective cybersecurity measures to safeguard patient information and regain trust.
Step 1: Acknowledging the Risks
The hospital had always assumed that because its electronic health records (EHR) system wasn't publicly advertised, it was safe. In reality, default credentials, exposed services, and unrevoked user access meant the system was wide open.
With Clarensec's guidance, hospital leadership initiated a risk assessment. We mapped out their IT environment, catalogued users with system access, and reviewed data storage practices. The results were eye-opening:
- Shared administrator passwords.
- No audit logs or access tracking.
- No policy for removing access when staff leave.
- Patient files stored unencrypted on network drives.
Step 2: Implementing Basic Security Controls
After conducting a thorough penetration test, we recommended and helped implement five foundational security controls:
1. Access Control Policies
The hospital introduced role-based access controls (RBAC). Now:
- Staff can only access data they are authorized to.
- Nurses and administrative staff have access strictly limited to their functions.
- IT staff access is logged and reviewed weekly.
- Access is removed immediately when an employee resigns, is fired, or changes roles.
One of the first actions taken was the deletion of credentials belonging to former employees.
2. Unique User Accounts & Password Policy
Gone are the days of "Admin/Admin123." Each staff member now has a unique username and password. The hospital also enforced:
- Minimum password complexity.
- Password expiration every 60 days.
- Account lockout after five failed attempts.
3. Device Security and Network Segmentation
- Conduct privilege escalation checks and backdoor checks on all endpoints.
- Secure all endpoints with antivirus and local firewalls.
- Segment the network to isolate patient data from Wi-Fi used by visitors and non-clinical staff.
- Implement internal segmentation to prevent malware spread.
4. Staff Training & Awareness
All staff, from front desk to consultants, underwent basic cybersecurity training. They learned:
- Why password sharing is dangerous.
- How phishing attacks can happen through WhatsApp.
- The importance of logging out of shared systems.
5. Logging and Monitoring
- Admin login attempts are now logged and reviewed.
- USB usage on sensitive systems is restricted and monitored.
- Suspicious activity triggers email alerts to the IT lead.
The Result: A Culture Shift
Within three months, the hospital moved from unmanaged, vulnerable systems to a secure, monitored environment. Most importantly, there was a shift in culture, staff now understand that protecting patient data is part of their duty of care.
No cybersecurity program is ever "complete," but this hospital's journey proves that with the right mindset and guidance, any health institution in Nigeria can take meaningful steps toward securing its systems.
Final Thoughts
At ClarenSec, we believe that protecting patient privacy is not optional; it's a moral, legal, and professional obligation.
If your hospital has never conducted a cybersecurity assessment, now is the time. Start small, but start now.
Start small, but start now. Your patients are counting on you.
