The Paradox of Clinical Security Noncompliance
Every health system CISO has encountered the same frustration: comprehensive security controls in place, staff training completed, policies distributed—and yet clinicians continue to prop open secured doors, share login credentials, and disable multi-factor authentication because "it slows down patient care." The problem isn't ignorance or apathy. It's a fundamental mismatch between how security systems are designed and how clinical work actually happens.
This behavioral gap is costly. The 2023 HIPAA breach report documented 725 million healthcare records exposed, with human error and noncompliance cited as contributing factors in over 60% of incidents. Yet traditional compliance-focused approaches—stricter policies, more audits, mandatory training—often fail to move the needle on actual behavior change. The issue isn't that staff need more fear; it's that security controls haven't been designed with behavioral change science in mind.
The COM-B model offers health system leaders a more effective path forward.
Understanding the COM-B Framework
COM-B is a behavioral science framework developed by behaviorist Michie Susan and colleagues to explain why people do (or don't do) things. The acronym stands for Capability, Opportunity, and Motivation—three conditions that must all be present for a behavior to occur. In healthcare security, this translates directly:
Capability: Can Clinical Staff Actually Comply?
Psychological capability means staff understand what they're being asked to do and why. Physical capability means the systems and workflows enable compliance without excessive friction. Most health systems assume this exists; most clinicians say it doesn't. A cardiologist spending 40% of her shift navigating authentication screens, finding the right EMR window, or working around broken single sign-on may have the knowledge to comply but lacks the practical ability to do so while maintaining patient throughput. NIST CSF Govern and CIS Controls 6 (Access Control Management) emphasize usability; security controls that require excessive overhead become liabilities when clinicians circumvent them entirely.
Opportunity: Does the Environment Support Secure Behavior?
Physical opportunity refers to the design of the technical and physical environment. Social opportunity refers to cultural norms and peer behavior. A nurse in a busy ICU observes colleagues sharing credentials to access critical labs faster. Leadership doesn't visibly enforce consequences. Workstations remain unlocked between shift changes because the unit is understaffed. The social norm becomes: "everyone does it." No amount of individual training overcomes an environment where insecure behavior is the path of least resistance and carries minimal perceived risk. Zero Trust architecture principles (verifying every access request, regardless of network location) create opportunity structures that reduce the ability to bypass controls—but only if the underlying workflows are redesigned to accommodate zero-trust verification without clinical slowdown.
Motivation: Why Should They Comply?
Reflective motivation involves deliberation: weighing consequences, values, and goals. Automatic motivation involves habits and emotional responses. Most health system security training activates reflective motivation ("HIPAA violations can result in fines") but ignores automatic motivation. Clinicians feel frustrated, time-pressured, and unsupported—emotions that drive the automatic override of controls. Meanwhile, no immediate positive reinforcement rewards secure behavior. Effective motivation strategies in healthcare must acknowledge that clinicians' primary value—delivering patient care—is not in conflict with security; rather, security should be reframed as enabling care quality and patient trust.
Applying COM-B to Your Organization: Practical Steps
1. Diagnose the Actual Barriers
Don't assume why staff bypass controls. Conduct structured interviews with 20-30 clinicians across departments using open-ended questions: "What gets in the way of following [specific control]?" Listen for gaps in capability (unclear procedures), opportunity (slow systems, unwritten workarounds), and motivation (competing priorities, lack of visible consequences). Map findings to COM-B dimensions. This diagnosis informs targeted interventions rather than blanket policy tightening.
2. Redesign Workflows and Systems (Opportunity)
Partner with clinical informatics to redesign workflows that embed security without adding steps. Example: Instead of requiring separate MFA every four hours, implement adaptive authentication that challenges users only when accessing sensitive data from unfamiliar devices—reducing friction while maintaining control strength. Align authentication mechanisms with clinical task sequences. Work backward from the clinician's priority (fast access to patient data) and build security into that pathway, not alongside it.
3. Simplify and Communicate Capability
Replace annual training with just-in-time, task-specific guidance. When a clinician faces an unusual access scenario, deliver a 30-second explanation via their workstation—not a 60-minute e-learning module. Use peer-led education; a respected senior clinician explaining a security practice to junior staff carries more weight than compliance staff. Document the "why"—connect security controls to patient privacy and care quality, not regulatory punishment.
4. Shift Social Norms and Reinforce Motivation
Publicly recognize departments with the best security compliance records. Share anonymized data showing which units achieved fast response times *while* maintaining zero control bypasses, proving the false choice between security and speed is solvable. Senior clinical leaders—chief medical officers, nursing directors—must visibly support security practices. When motivation stems from respected peers and trusted leaders, not just policies, automatic motivation shifts.
5. Measure Behavior, Not Just Compliance Metrics
Track meaningful indicators: unauthorized credential sharing incidents, average time to complete access requests, and clinician-reported workflow friction. FAIR (Factor Analysis of Information Risk) and NIST CSF guidance on measurement emphasize understanding the business context of risk decisions. A 15% increase in MFA adoption means little if 85% of clinicians still find workarounds. Measure actual behavior change and its relationship to breach risk reduction.
Compliance and Risk Management Alignment
COM-B thinking integrates naturally with existing compliance frameworks. HITRUST certification requirements for access controls and security awareness become easier to sustain when behaviors are actually supported by capability, opportunity, and motivation—not just policy language. HIPAA's Security Rule mandates access controls and sanction policies but doesn't prescribe how clinicians must interact with them. Applying COM-B ensures your controls meet both the spirit and practice of HIPAA requirements.
Conclusion
The clinical staff member who bypasses a security control is not a security threat; they are a system design failure. The COM-B model redirects your organization from blaming individuals to fixing the environment. When clinical staff have the capability, opportunity, and motivation to comply, security becomes embedded in daily work rather than an obstacle to it. This shift—from compliance theater to behavioral redesign—is where real risk reduction begins.