When it comes to identity access management, most hospitals and healthcare providers are doing it all wrong.

At least that's according to a new report, conducted by security software provider IS Decisions, which found that despite HIPAA security rule which requires covered entities to implement technical policies around access management the lion's share of staff are struggling big time.

In fact, some 63 percent of them say they are able to log on to different devices and workstations at the same time. About half of them are required to log off manually, and about 30 percent do not have unique login credentials.

[See also: Identity access management tips from the security pros.]

What's perhaps even more concerning is that a staggering 82 percent of healthcare staff say they have access to patient data, but just under a third of them actually don't have unique logins for the access.

There's also serious training shortcomings for both new and current employees, as the report delineated. About 29 percent of healthcare staff had no security training whatsoever when they were onboarded, and only 55 percent of current professionals say they received security training.

"Information of this critical and confidential nature should only be accessible by authorized users and it really should not be a complicated process," said Francois Amigorena, CEO of IS Decisions, in a press statement. "This can be easily achieved with the right combination of implementing access control policies, applying user identity verification and improving user activity auditing."

It's a tall task, but it needs to be a priority, said Bobby Stokes, HCA's AVP of identity access management, in a recent Healthcare IT News webinar on the topic. Stokes is in charge of managing a single-sign on implementation that has 130,000 users each month.

"What's an ally and an employee one day may be a contractor or an outside force the next," added Stokes, this past winter. "And you have to deal with that."

Access the IS Decisions report here.