Sunday, April 26, 2026
EN FR
Admin
Cyber Risk

COM-B Behavioral Change Model: Why Clinical Staff Bypass Security Controls and What to Do About It

· 5 min read · behavioral security clinical cybersecurity COM-B model security awareness HIPAA compliance
COM-B Behavioral Change Model: Why Clinical Staff Bypass Security Controls and What to Do About It

The Behavioral Root of Healthcare's Biggest Security Gap

Every healthcare CISO has seen it: shared credentials on sticky notes, workstations left unlocked in patient bays, clinicians forwarding PHI through unsanctioned messaging apps, and MFA prompts dismissed with workarounds. The instinct is to respond with stricter policies, more training, and harsher penalties. But decades of behavioral science tell us that knowledge and punishment alone rarely change behavior — especially among professionals operating under extreme cognitive load, time pressure, and moral urgency.

Enter the COM-B model, developed by University College London researchers Susan Michie, Maartje van Stralen, and Robert West. COM-B posits that for any behavior to occur, three conditions must be present: Capability (the knowledge and skills to perform the behavior), Opportunity (the environmental and social conditions that enable it), and Motivation (the reflective and automatic drivers that energize the behavior). When clinical staff bypass security controls, at least one of these conditions is failing — and the intervention must match the deficit. This model gives CISOs a diagnostic lens far more powerful than "people are the weakest link."

Diagnosing Security Bypass Through COM-B

Capability Deficits: They Don't Know How — or Why

Capability encompasses both psychological capability (knowledge, comprehension, cognitive skills) and physical capability (the physical ability to perform the action). Many clinicians receive annual HIPAA Security Rule training that checks a compliance box under 45 CFR §164.308(a)(5) but fails to build genuine understanding of why specific controls exist or how to comply within real clinical workflows. A nurse who understands that a session timeout protects ePHI but has never been shown how to quickly re-authenticate using a proximity badge lacks the practical capability to comply without disrupting patient care. NIST CSF's Awareness and Training category (PR.AT) explicitly calls for role-based training — not generic slide decks. Map your training to actual clinical personas and workflow scenarios.

Opportunity Deficits: The Environment Makes Compliance Harder Than Bypassing

This is where most healthcare security programs fail catastrophically. Opportunity includes both physical opportunity (technology design, workflow integration, time) and social opportunity (cultural norms, peer behavior, leadership signals). When an EHR requires seven clicks and a password re-entry to resume a charting session mid-code, the system itself is creating a behavioral barrier to compliance. When every other nurse on the unit shares a login "because that's how we've always done it," the social environment normalizes the bypass. CIS Control 6 (Access Management) and HITRUST CSF control 01.b (User Registration) demand proper access governance, but implementation must account for the clinical reality. If the secure path is slower than the insecure path, the insecure path will win every time.

Motivation Deficits: They Don't Feel It Matters — or They Feel Something Else Matters More

Motivation in COM-B includes both reflective motivation (conscious beliefs, risk perception, professional identity) and automatic motivation (emotional responses, habits, impulses). Clinicians are trained to prioritize patient safety above all else. When security controls are perceived — rightly or wrongly — as obstacles to care delivery, the clinician's deepest professional motivation overrides compliance. This isn't negligence; it's a predictable consequence of competing motivational hierarchies. Framing cybersecurity as a patient safety issue, not an IT issue, directly addresses reflective motivation. The FAIR (Factor Analysis of Information Risk) model can help quantify and communicate the patient harm scenarios that result from security bypasses, making the risk tangible rather than abstract.

Designing Interventions That Actually Work

Match the Intervention to the Deficit

The COM-B model's companion tool, the Behaviour Change Wheel, maps specific intervention types to each COM-B component. CISOs should use this systematically:

For Capability gaps: Deploy simulation-based training embedded in clinical workflow tools. Partner with clinical informatics to create micro-learning moments at the point of care. Align with NIST CSF PR.AT-1 by ensuring all personnel understand their security responsibilities in context.

For Opportunity gaps: Conduct workflow analysis before deploying controls. Implement tap-to-authenticate badge solutions, SSO across clinical applications, and context-aware access policies that reduce friction. CIS Control 16 (Application Software Security) and HITRUST's usability principles should guide secure-by-design clinical IT. Restructure the physical and digital environment so the path of least resistance is also the secure path.

For Motivation gaps: Engage clinical champions and nurse leaders as security advocates, leveraging social motivation. Use real incident narratives — a ransomware event that delayed chemotherapy, a data breach that exposed a psychiatric patient's records — to create emotional salience. Integrate security metrics into quality and safety dashboards, positioning cybersecurity alongside infection control and medication safety.

Measure Behavior, Not Just Awareness

Traditional security programs measure training completion rates and phishing simulation click rates. COM-B demands that we measure actual behavioral change: reduction in shared credential usage, session lock compliance rates, unauthorized application installation trends, and secure messaging adoption. These metrics align with HIPAA Security Rule evaluation requirements under §164.308(a)(8) and provide evidence for HITRUST assessment readiness. Use technical telemetry — endpoint logs, access audit trails, DLP alerts — as behavioral data sources, not just compliance artifacts.

From Blame to Behavioral Design

The COM-B model shifts the conversation from "why won't clinicians follow the rules?" to "what conditions are we failing to create?" This reframing is not soft — it is rigorous, evidence-based, and operationally actionable. Healthcare CISOs who adopt behavioral science frameworks will design controls that clinicians actually use, build security cultures that sustain themselves, and demonstrate to regulators and boards that their programs address root causes rather than symptoms. In a threat landscape where human behavior remains the primary attack surface, COM-B is not an academic exercise. It is a strategic imperative.

📚 Recommended Reading

Books our AI recommends to deepen your knowledge on this topic.

📚
Medical Device Cybersecurity for Engineers and Manufacturers
by Axel Wirth, Christopher Gates, and Jacob Holling
This book addresses the intersection of clinical device usability and security design, directly relevant to understanding how poorly designed medical device controls create the opportunity deficits that drive clinician security bypasses.
View on Amazon →
📚
Ransomware: Defending Against Digital Extortion
by Allan Liska and Timothy Gallo
Its detailed analysis of ransomware attack chains illustrates the concrete patient safety consequences that CISOs can use to build reflective motivation among clinical staff who bypass security controls.
View on Amazon →
📚
Practical Cloud Security: A Guide for Cloud Environments
by Chris Dotson
The book's practical guidance on identity management and access controls in cloud-based clinical environments provides implementation strategies for reducing the opportunity friction that leads clinicians to circumvent authentication mechanisms.
View on Amazon →