Why physical device security is becoming a patient privacy issue in health care

As health care continues its rapid digital transformation, conversations around patient privacy have understandably focused on cyberthreats, including ransomware attacks, phishing scams and system breaches. Yet one of the most immediate and preventable risks to patient data often goes overlooked: the physical security of the devices clinicians rely on every day.

As mobile and hybrid work becomes embedded across hospitals, clinics and allied health settings, unsecured laptops, tablets and shared workstations are increasingly exposing sensitive patient information to unintended eyes and hands.

The frontline privacy risk hiding in plain sight

Healthcare environments are uniquely vulnerable. Devices are routinely used across wards, nurses’ stations, shared offices, staff rooms and offsite locations such as outreach clinics and home visits. In these fast-paced settings, screens displaying patient records can be visible to passers-by, and devices are often left unattended, even briefly.

Recent global research, commissioned by Kensington, into workplace security highlights the scale of the issue. More than three-quarters of organisations have experienced device theft in the past two years, with the figure rising significantly in hybrid working environments.¹ In health care, where every device may contain protected health information, a single stolen or exposed screen can trigger serious privacy, legal and operational consequences.

The impact is not theoretical. Around one-third of organisations affected by device theft report legal or regulatory repercussions, while others experience productivity loss, system downtime and reputational damage.¹ With the average global cost of a data breach now approaching US$5 million,² the stakes for healthcare providers are especially high.

Visual hacking: an underestimated threat

While stolen devices present an obvious risk, visual hacking, sometimes referred to as “shoulder surfing”, is a quieter but equally dangerous threat.

Digitisation has dramatically increased the volume of sensitive information displayed on screens throughout the day. As clinicians move between workstations or work in shared or public-facing areas, it becomes easier for unauthorised individuals to glimpse patient data simply by being nearby. In busy hospitals, even fellow staff without clearance may inadvertently see information they shouldn’t.

Nearly one in four IT leaders now identify visual hacking as a growing concern,¹ particularly in environments where mobility and collaboration are essential. In health care, where confidentiality is foundational to patient trust, a single visual exposure can be just as damaging as a cyber intrusion.

Physical security as a core privacy control

What this data makes clear is that patient privacy cannot be protected by digital controls alone. Physical device security must be treated as a frontline defence, not an afterthought.

Organisations that implement basic physical safeguards, such as securing devices when unattended and limiting screen visibility, are significantly less likely to experience breaches linked to unsecured hardware. These measures are also widely recognised by IT leaders as among the most cost-effective ways to reduce privacy risk, especially when compared to the financial and operational impact of a breach.

For healthcare providers, this is not just about compliance; it is about continuity of care. Lost or compromised devices can disrupt clinical workflows, delay access to patient records and place additional strain on already stretched teams.

Preparing for a stricter privacy future

Globally, privacy regulation is trending towards stronger protections, tougher penalties and higher expectations around organisational accountability. While Australia’s Privacy Act already places clear obligations on healthcare providers, international developments suggest these requirements may continue to tighten, particularly around consent, data handling and breach prevention.

In this context, healthcare organisations must ensure their workforce is equipped to work securely wherever care is delivered. This includes recognising that privacy risks extend beyond networks and servers to the physical environments in which clinicians operate every day.

A timely opportunity for healthcare leaders

Healthcare leaders should reassess how patient information is protected in practice, not just in policy. Reviewing how devices are secured, how screens are positioned and how staff are supported to work safely in mobile and shared environments can significantly reduce exposure to preventable privacy breaches.

Protecting patient data is ultimately about protecting trust. By elevating physical device security to its rightful place alongside cybersecurity, healthcare organisations can strengthen privacy outcomes, reduce risk and support clinicians to deliver care with confidence in an increasingly digital world.

^{1. Secure Your Devices, Protect Your Data — White Paper & Key Findings, Kensington, Vanson Bourne Research, 2024.}

^{2. Secure Your Devices, Protect Your Data — Infographic, IBM Cost of a Data Breach 2024 / Circana Data on Security Cable Pricing.}

*Arivan Ahmad, Product Manager at Kensington Australia 

Top image credit: iStock.com/alvarez