The policy says no shared logins. It is signed by the medical director, filed with the quality unit, and printed in the staff handbook. Walk onto the night shift of a busy medical ward in Lagos at 2am and you will find one account logged into the EMR on three workstations, the password written on a sticky note under the keyboard, used by every nurse, the house officer on call, and the locum who started yesterday and was never given a login of her own. Nobody on that ward is careless. They are coping. And the one person who could have noticed and fixed it is not the board, and not the IT manager three floors up. It is the ward manager standing right there.
Most hospital security programmes do not fail at the top. The board approves the budget, the policies get written, the awareness email goes out. They fail in the gap between that policy and the floor where care actually happens. That gap has a name on the org chart: the department head, the ward sister, the lab supervisor, the records officer, the pharmacy lead. This is the missing middle, and it is the part of the programme that decides whether any of the rest of it was real.
Why programmes die in the policy-to-floor gap
A security policy is a document about how people should behave. Behaviour is local. It happens at a specific nursing station, on a specific shift, under a specific workload, and it is shaped far more by what the person beside you does than by anything written in a handbook nobody opens twice. The board cannot see that station. The IT team sees a server log, not a sticky note. The only role with line of sight to the actual behaviour, and the authority to correct it without it being received as an outside accusation, is the unit manager.
Think about who staff listen to. A nurse will quietly ignore a circular from administration. She will not ignore her ward sister telling her, on the floor, that the shared login stops tonight and here is your own account. Authority in a hospital flows through clinical hierarchy, not through the IT department. That is exactly why a programme that routes entirely around the unit manager, straight from policy to frontline, lands as noise. The middle layer is not a nice-to-have in the chain of command. It is the conversion step where a rule becomes a habit.
What a ward, lab or records lead is actually accountable for
The question is not whether department heads should "care about security". It is which four things, specifically, are theirs to own. Strip away the slogans and the list is short and concrete.
- No-shared-logins enforcement, on the floor. The unit manager is the person who knows that bed 7's medication was charted under a login shared by four people, which means the audit trail is worthless. Closing this is a daily-habit job, not a one-time announcement. It means making sure every member of the unit has their own active account, chasing IT when a new starter does not, and refusing to let the shared account quietly come back when the rota gets tight.
- Inducting rotating and temporary staff. Hospitals run on movement: locums, NYSC postings, house officers rotating through every few weeks, agency cover at short notice. Central onboarding almost never catches them in time. The ward manager is the one who can say, in the first hour of a new face on the unit, "you do not use anyone else's login, you log out before you walk away, and if anything looks wrong you tell me." That thirty-second handover is the only induction many temporary staff will ever get.
- Building a local reporting habit. Whether a suspicious email or a misdirected discharge summary gets reported in two minutes or buried for two days depends almost entirely on whether the person who saw it believes their manager will treat it as help, not blame. The unit manager sets that climate. A reporting culture is not built by the CISO. It is built one "well done for flagging that" at a time.
- Surfacing workarounds upward. When staff invent an insecure shortcut, it is usually because the secure way is too slow or does not exist. The WhatsApp handover group, the USB stick of scans, the screenshot of a patient record sent to a consultant at home. The unit manager sees these because the unit manager works the floor. The job is to notice them and push them up to people who can fix the underlying tool, rather than punishing the staff who found a way to keep care moving.
Notice what is not on this list. The ward manager is not expected to configure a firewall, read a packet capture, or write policy. The middle layer's job is translation, in both directions: turning the policy into something that works on a real shift, and turning what they see on a real shift into something the people above them can act on.
From floor observation to funded action
A ward sister notices the locums share a login because new accounts take three days. She mentions it to a colleague over tea. It dies there. That is the default fate of nearly every workaround spotted on a Nigerian hospital floor: seen, grumbled about, never moved an inch up the building to anyone who could fund the fix. The missing piece is not the noticing. It is the route from the noticing to a decision, and most hospitals have never drawn that route at all.
It runs in four steps. The unit manager observes the recurring workaround and names the friction behind it, not just the rule being broken: "we share the login because new locums wait three days for an account". That observation goes to whoever owns the system or the budget, framed as a process gap rather than a staff failing. A decision gets made and funded, whether that is a same-day account-provisioning route, a faster login at the bedside, or a secure handover tool that replaces the WhatsApp group. And the fix comes back to the floor with the unit manager reinforcing it, so the old workaround does not creep back the first busy night. Skip any step and you are back to a signed policy and a sticky note under the keyboard.
- Your four jobs: every staff member on the unit has their own login, rotating and temporary staff get a security handover on day one, suspicious activity is reported without fear, and insecure workarounds get pushed upward, not punished downward.
- Shared logins are yours to close. Under the NDPA, access to patient records must be attributable to a named, authorised person. A shared account breaks that, and the trail leads to your unit.
- Induct the locum in the first hour. Own login, log out before walking away, report anything odd to you. Thirty seconds, every new face.
- Reward the report. "Well done for flagging that" buys you a unit that tells you about the next problem early.
- Name the friction when you escalate. Take the workaround and the reason for it upward together, so the fix targets the tool, not the staff.
The same middle, outside the hospital
This layer is not a healthcare quirk. A bank branch manager occupies the identical position between head-office security policy and the teller floor, where a shared terminal session or an unverified caller can cost real money. A land registry supervisor sits between the data-protection rules and the clerk who actually pulls the file. Wherever a sensitive record meets a busy frontline, there is a missing middle, and the programmes that work are the ones that give that middle a defined job rather than routing past it. When our senior penetration testers walk a client's floor, the shared logins and the workarounds we find almost always trace back to a middle layer that was never told this was theirs to hold.
A policy nobody enforces on the floor is just a document waiting to be quoted after the breach.
