A private hospital in the South-West sacked a member of its records team on a Friday. HR did the paperwork, security collected the ID card, and everyone moved on. Three weeks later the IT lead noticed the man's account logging into the patient database at odd hours, from outside the building. Nothing had been stolen yet. But for twenty-one days, a person the hospital had shown the door still held a key to its most sensitive room, and no one had thought to change the lock.
That gap, between the day someone leaves and the day their access actually dies, is where insider risk lives. It rarely looks like a thriller. It looks like an account that should have been switched off and was not, because the part of offboarding that touches IT happens last, or never. Under the Nigeria Data Protection Act (NDPA), a hospital is the data controller for every patient record it holds, and it carries a duty to ensure only authorised people can reach that data. A live login for someone who no longer works there is, in plain terms, a breach of that duty waiting to be noticed.
The leaver is the dangerous end of the lifecycle
A new nurse who cannot log in on her first shift will be at the IT office before lunch. That is why hospitals get joiners right: the complaint arrives the same day. Movers are noisier still, since a doctor locked out of a ward she has just transferred to makes noise until it is fixed. The leaver is different. No one is inconvenienced by an account that should have died but did not, so no one reports it. The silence is the problem, and it is exactly the silence an attacker, or the leaver herself, is counting on.
For the full joiner-mover-leaver workflow, who requests an account, who approves it, who provisions it, see our companion piece on running the EHR account lifecycle. This post sits at the sharp end: what happens, and what should happen, the moment someone walks out for the last time.
Why offboarding fails inside a Nigerian hospital
The failure is almost never one big oversight. It is a string of small, ordinary handovers that each assumed someone else would finish the job.
- Shared ward logins. A single account used by the whole night shift cannot be tied to one leaver. You cannot revoke what you cannot attribute, so the account simply stays on, and the departed staff member still knows the password.
- Vendor-held admin credentials. The EHR was installed by a contractor who set up admin accounts and, in many cases, still holds them. When a hospital IT officer leaves, the vendor is rarely told, and any credential that person shared with the vendor lives on outside the building.
- WhatsApp groups and informal channels. Rotas, lab results, even snapshots of patient files move through staff WhatsApp groups. A leaver removed from the payroll is often still in three of those groups a month later, with everything already on their phone.
- The HR-to-IT gap. HR knows the person has left. IT holds the keys. If the only link between them is a memo that may or may not be read, the account waits. This is the twenty-one-day story above, in one sentence.
The fix is a same-day deprovisioning checklist that triggers the instant a termination is confirmed, not at the end of the month's reconciliation. At minimum:
- Disable the user's individual accounts across the EHR, email, and any clinical systems on the day of departure.
- Reset the password on every shared account the person could touch, and treat that as non-negotiable for dismissals.
- Revoke remote access (VPN, remote-support tools) and terminate active sessions, not just future logins.
- Notify the EHR vendor in writing to revoke or rotate any credential the leaver held or shared.
- Remove the person from WhatsApp groups, shared drives, and distribution lists, and collect any hospital device.
- Record the time each step was completed, so there is an audit trail showing the gap was closed.
Catching the returning insider
Prevention is the goal, but you should assume a step will be missed and build a second line that catches it. The returning insider leaves fingerprints, if anyone is reading the logs.
The single most useful control is an access review of recent leavers. Once a week, pull the list of staff HR recorded as departed and check each name against active accounts and recent login activity in the EHR. The hospital in our opening would have caught its problem on day one of doing this rather than day twenty-one. Audit logs answer the questions that matter after the fact: which account touched which record, from where, and at what hour. A records clerk's credential logging in from a residential connection at 1am is not subtle once you are actually looking.
Set a small number of alerts that fire on the patterns insiders produce: logins from a recently terminated account, access at unusual hours by non-clinical roles, and bulk record views that do not match a person's normal workload. None of this needs expensive tooling. It needs the logs turned on and a named person whose job is to read them.
The insider who never meant harm
Not every insider risk is a disgruntled leaver. The quieter danger is the account that simply outlives its purpose. A locum doctor covers a two-week gap and her account is never disabled. A house officer rotates out and the login follows him nowhere, yet still works. A clerk is promoted and keeps the access from her old desk on top of the access for her new one, year after year, until she can reach half the hospital.
These dormant, orphaned and over-broad accounts are the unattended doors of the building. They are not malicious, but they are exactly what an attacker, or a returning leaver who borrowed a colleague's password, will use. A periodic review that asks one blunt question of every account, "does this person still need this, today?", removes most of them. Under the NDPA's expectation that access be limited to what each role genuinely requires, that review is not housekeeping. It is part of the duty.
- The leaver stage has no alarm. Joiners complain when access is missing; departed staff never call to say their account was left on. Build the check that they will not.
- Offboarding fails in the gaps. Shared ward logins, vendor-held credentials, WhatsApp groups, and a loose HR-to-IT handover are where the access survives a termination.
- Deprovision the same day. Disable individual accounts, reset shared passwords, kill active sessions and remote access, and tell the EHR vendor, all on the day of departure.
- Read the logs for returners. A weekly access review of recent leavers plus alerts on odd-hour and out-of-building logins turns a silent breach into a same-day catch.
- Mind the quiet accounts. Dormant locum logins, orphaned rotations, and over-broad promotions are insider risk without intent. A periodic "still needed today?" review clears them.
- It is an NDPA duty, not a favour. As data controller, the hospital must keep patient access limited to authorised persons, and a live ex-employee account fails that test.
Pull your list of last quarter's leavers and check it against active EHR accounts today. The login you do not expect is the one worth finding.
