[wallflower]

One of my friends works in healthcare. She told me once about how a coworker who worked at the hospital had gotten a certain test done there. This coworker looked up their results through the healthcare information system, and they were brought in to their supervisor to explain why they committed a violation of the hospital system's HIPAA rules. In some hospitals, this might not be a violation and, in fact, allowable.

My answer is that any rootkit or phishing schema that attempted to exfiltrate data from a client terminal would be detected by all the deeply-ingrained automated and formal procedures and systems for monitoring/auditing/alerting of access and usage of the healthcare information system. Also, depriving the doctors and nurses of Facebook/website browsing would probably be a net negative for morale, most especially in these trying times of COVID-19.

[giantg2]

Have you ever heard of defense in depth? You need multiple layers of protection. Plenty of healthcare facilities have been hit with ransomware in recent years. This can happen from opening email or social media attachments, among other things.

Not using Facebook is standard for any profession and will surely get you fired at many companies (like the one I work at). They could use their smartphone on their break for internet.

The sort of security indifference or ignorance the op describes is actually quite common in healthcare. I know someone who works in IT at a hospital and he would tell me about nightmare that it is to have medical staff follow commonsense security protocols (ironic since the medical profession is all about following established protocols).