Critical security controls were found to be either non-compliant with internal security and risk policies or missing from devices 15 percent of the time in the analysed healthcare PCs.