How Inadequate Key Control Puts Hospital Patients at Risk

From ransomware attacks to workplace violence, ensuring hospital security is more challenging than ever. You likely mitigate external cybersecurity threats by backing up your data and improving your network security. You’ve probably also invested in physical security measures like cameras, metal detectors, public safety officers, and training.

But how well do these tactics prevent internal threats involving employee and vendor access? Let’s take a look at how inadequate key control intensifies three major risks to your facility and your patients.

 

Major Hospital Risks

 

 

Employee pilferage accounts for 22% of drug thefts or losses. In separate cases in Colorado, two nurses were charged with stealing controlled substances from hospital patients. On three or four occasions, one of the nurses used a key to open a machine used to administer medication and removed some of the drug.

 

When medical professionals abuse their access privileges to steal narcotics, the CDC warns that patients suffer substandard care and infection risks. In light of these risks, the DEA does not take drug diversion lightly. Healthcare systems that have been investigated by the DEA for recurrent problems with drug diversion due to lax controls and lack of reporting have faced settlements for millions of dollars. For example, a medical center in New Hampshire paid $2 million and one in Kentucky paid $4.39 million after failing to keep accurate records of opioids. Consider how well your controls could withstand an investigation in a similar situation.

 

Theft of devices or supplies is another risk that could affect patients' well-being and increase your liability. When a device containing personally identifying information is stolen, the cost is steep. IBM’s Cost of a Data Breach Report 2025 found that the healthcare industry’s average cost of a data breach is $7.42 million — the highest of all industries for the 12th year in a row.

 

But it’s not just data at risk. For example, two hospital employees and a medical supply distributor put the public’s health at risk when they conspired to steal medical devices and supplies from the hospital and sold them online. One of the employees used their access to the medical supply and the cleaning and disinfecting rooms at the hospital to steal the items. Some of the supplies had been used in surgical procedures and hadn’t been disinfected.

These examples demonstrate that employee accountability is critical to protecting patients.

Staffing Shortages and Burnout

Turnover and burnout has reached critical levels in the healthcare industry. Over the past five years, the average hospital experienced a 107% employee turnover rate. Meanwhile, as staff struggle to cover essential patient care, access control and other operational processes can fall behind.

At best, this issue makes staff’s jobs harder when they don’t have access to areas or supplies they need to do their jobs. At worst, it leaves the door open for staff, contractors, or visitors to exploit key and access control vulnerabilities.

---

📖 Related Reading

Don’t Let Employee Turnover Sabotage Your Key Control 

---

Mitigating Risks With Key Control

Some employees have a legitimate need to access keys to areas where narcotics, sensitive data, or other sensitive assets are stored. But consider these questions:

• Are you certain employees always use their keys for the authorized purpose?
• Can other employees gain access to those keys?
• Do you have a reliable process for retrieving keys when an employee resigns?

To protect your facility from liability and protect patients’ well-being, it’s critical to maintain employee accountability. The best way to do so is to create an automatic audit trail of key use that’s not vulnerable to human error or manipulation. Electronic key control systems help you meet this objective.

Unlike traditional key storage methods such as desk drawers or pegboards, electronic key control systems typically consist of a metal drawer or wall-mounted panel that physically locks down keys. Some even allow you to set up access levels to ensure that people are only retrieving the keys they need to perform their job duties.

In addition, if someone checks out a key outside their shift hours when they have no need to do so, or if they have a key checked out for longer than they should, you can be immediately alerted by text or email. The system is fully automated, so if a security incident occurs, the automatic audit trail can aid in an investigation by providing a report of who checked out keys and when.

If employees abuse their access privileges and you don’t have adequate key control measures in place, are you prepared to answer to patients whose health or privacy has been compromised? Can you absorb the cost of compliance fines, rising insurance costs, and more?