The Healthcare Security Crossroads

Hospitals have always been among the most complex environments in which to design and deploy security systems. They operate 24/7, blend public and restricted spaces, rely on interdisciplinary teams, and handle some of society’s most vulnerable populations. 

Over the past decade, a healthcare security shift has quietly taken place – one that many integrators, facility leaders, and security consultants have not fully acknowledged. Healthcare security is no longer a physical problem or a cyber problem; it is one problem, and the separation of the two has become a liability.

The industry’s legacy structure – the facilities department managing cameras and access control,  and the IT team managing networks and patient data – was workable when the systems were separated. Today, everything lives on an IP network.  A card reader communicates over the same wired infrastructure as clinical workstations. Video streams traverse the same network as electronic health record queries. Even patient monitoring, duress alerting, and environmental controls now depend on the same connectivity stack that supports enterprise IT.

This intertwining has created a new reality in healthcare facilities: A failure in cybersecurity can immediately cascade into physical risk, and a failure in physical systems can expose digital assets.

Most healthcare organizations are not prepared for that overlap, and many integrators are not properly trained for it either. As the market quickly moves to smart hospitals, AI-powered analytics, and unified identity management, this issue is quickly becoming paramount for all stakeholders involved, and it means IT and physical security convergence is no longer “optional” in healthcare.

While this creates challenges for traditional security integrators, they are not unassailable; in fact, integrators are a key component in our industry’s push to create safer, more resilient healthcare environments.

When a Physical Outage Becomes a Cyber Incident and Vice Versa

Consider a scenario that has happened at more than one hospital in recent years: An access control server crashes during peak shift. Card readers go offline. Staff cannot enter behavioral health units or medication rooms. Pharmacy technicians are stuck outside controlled zones. Nurses waiting to get through secure doors are forced to detour, causing delays in care delivery.

Technically, this is a cyber outage, a server issue; but operationally, it is a patient safety incident.

Another example: Consider a video surveillance system that is reachable through an unsegmented VLAN shared with a vendor’s remote support tools. A malicious actor compromises a third-party endpoint and suddenly has visibility into patient areas, facility entrances, and loading docks – information that could support a criminal event or ransomware attack.

Technically, this is a physical security device vulnerability; but functionally, it is a cyber breach with clinician implications.

These examples illustrate a fundamental truth: Healthcare facilities no longer experience “physical failures” and “cyber failures”  – they experience operational failures that instantly travel across domains. Physical and cybersecurity no longer operate independently; their failure modes overlap, and so should their design, governance, and prevention strategies.

The Historical Divide That No Longer Works

The challenge begins with organizational history. For decades, healthcare organizations have operated under a predictable division of labor, with Facilities owning the doors, cameras, alarms, patient-wandering sensors, and the building automation systems; Information Technology owning the network, servers, cybersecurity policies, and digital identity; and clinical operations focused on patient experience and care delivery, not infrastructure.

This division of labor made sense when systems were analog or air-gapped, but as IP-based access control, networked cameras, wireless duress, telemedicine platforms, and connected medical equipment emerged, the physical infrastructure moved squarely into the world of IT.

In modern hospitals, nearly every physical security asset is now a digital endpoint. The badge someone scans at the staff-only elevator communicates across hospital switches. The camera monitoring ED patient flow traverses VLANs that also serve clinical workstations. Infant protection systems tie into networked sensors and software-based event management.

Yet, the roles and processes never caught up. Many hospitals still expect Facilities to oversee procurement and maintenance of security hardware, even though the hardware now requires VLAN segmentation, port security, firmware updates, credential management, network monitoring, event logging, and SIEM integration, and secure remote access policies.

At the same time, many IT teams are not fully aware of how physical systems behave, how uptime affects patient care, or how integrations across security domains fundamentally differ from traditional workstation or server deployments.

Integrators feel this gap acutely. This gap is where risk grows and where integrators often find themselves as the de facto bridge. They are the ones standing in telecom rooms configuring devices that IT believes should behave like workstations, and that Facilities believes should behave like building systems. They are the ones attempting to secure endpoints that both teams touch, but neither fully owns. And they are the ones who must translate risk across stakeholders who historically never needed to communicate at this depth.

Healthcare Is Digitizing Faster Than Security Teams are Adapting

Healthcare’s shift toward a digitally integrated model isn’t theoretical; it is already here. COVID-19 accelerated digital transformation across healthcare, but security technology has been quietly undergoing its own digital revolution as well, in four distinct ways:

1. Clinical operations are now digital-first: Nurse call, fall-detection analytics, real-time location systems (RTLS), infant protection, and remote patient monitoring all run on network infrastructure. They share space – and threat exposure – with physical security devices.

2. Smart hospitals are becoming the new standard: Integration between BAS, lighting, access control, cameras, AI analytics, and environmental sensors is no longer futuristic; it is happening now, driven by patient experience, energy efficiency, and staffing pressures.

3. Medical device cybersecurity has become a federal priority: The FDA and DHS have both increased scrutiny of medical device vulnerabilities, and many of these same cyber risks apply equally to video cameras and access panels; however, the industry has not applied the same rigor.

4. AI is pushing security technology further toward IT: AI-driven video analytics, anomaly detection, and workflow automation depend on cloud services, APIs, and compute resources – squarely in IT’s jurisdiction. Integrators deploying AI tools must understand incident response, data privacy, and network architecture.

These four shifts place hospital security systems at the crossroads of physical impact, cyber risk, and clinical dependency, but most organizational structures were never built for this level of convergence.

Why Integrators & Consultants Must Lead This Transformation

Healthcare organizations are busy, complex, and resource-constrained. Most do not have the bandwidth to redesign governance models themselves; thus, integrators and consultants – especially those involved early in design and construction – have become essential to bridging the gap.

Integrators already touch both worlds: Every day, integrators install network-connected devices, configure communication protocols, manage user credentials, perform firmware updates, and integrate with IT systems (Active Directory, SIEM, IAM). Whether they realize it or not, they are performing tasks that, if done incorrectly, create cyber exposure.

Consultants are the first line of prevention: Through design specifications, convergence requirements, coordination with architects, and owner standards development, consultants can set the conditions for a more aligned security posture before hardware even arrives on-site.

But there is a real knowledge gap. Many integrators and physical security teams have never been formally trained on network segmentation, zero-trust principles, vendor access controls, API security, secure configuration baselines, or data governance. At the same time, many IT professionals have never been trained on life-safety risk, access maturity models, behavioral health considerations, camera placement logic, or operational workflows in specialized clinical spaces.

Without shared language, shared priorities, and shared governance, the convergence the healthcare market needs cannot happen.

The Most Common Vulnerabilities

Through our work across hospitals, behavioral health facilities, medical education environments, and regional health systems, we repeatedly see similar gaps and vulnerabilities in convergence. Every one of these common issues is solvable, but only through collaboration.

Unsegmented networks: Access control, cameras, RTLS tags, and duress devices sitting on the same VLAN as guest Wi-Fi or office workstations.

Outdated firmware and unpatched devices: Security systems historically receive far less patch governance than IT-managed equipment.

Shared or default credentials: Vendor logins reused across systems, or default passwords left in place.

Undefined ownership: When something breaks, or when a vulnerability is discovered, nobody knows whether Facilities or IT is responsible.

Insecure remote access: Vendor VPNs, remote desktops, or cloud dashboards with insufficient MFA or visibility.

Lack of logging and integration with SIEM (Security Information and Event Management): Physical events that should be part of cybersecurity investigations remain isolated in proprietary logs.

Integrations without risk review: This involves linking access control to Identity and Access Management, linking cameras to AI cloud analytics, or linking duress to clinical dashboards without assessing what data moves where.

A Model Converged Healthcare Security Program

In hospitals that are embracing convergence well, you see alignment in the way systems are governed, not just configured. Facilities, IT, and clinical leadership share responsibility for understanding the infrastructure that supports care.

Digital and physical identity systems are treated as one program, not two. Access control changes flow through the same governance model as changes to clinical applications. Network segmentation is strategically designed around operational needs, not just switch-port availability.

A truly converged approach is not just about connecting systems; it is about aligning governance, risk management, and operational priorities in several ways. This is the path forward, and integrators and consultants are uniquely positioned to help hospitals get there:

Joint governance between IT, Facilities, and security: A unified committee (CISO + Facilities Director + Security Director) oversees policies, purchasing decisions, vendor access approvals, and system roadmaps.

Shared asset inventories: Every device, camera, door reader, workstation, server, RTLS node, is documented with firmware version, IP address, location, dependencies, and risk rating.

Network segmentation and zero-trust architecture: Physical security devices live on dedicated, protected networks with strict access rules and endpoint monitoring.

Clear ownership of patching, updates, and incident response: Facilities no longer patch devices “when they have time.” IT no longer ignores access control alerts during cyber incidents. Roles are defined, documented, and rehearsed.

Secure baseline configurations for new deployments: Specifications require secure defaults: MFA for consoles, encrypted communications, strong passwords, monitored logs, and access governance standards.

Early collaboration during design and construction: Integrators, consultants, architects, and IT stakeholders align early on expectations – before submittals, fiber contracts, or device placements are finalized.

Continuous monitoring and improvement: Systems are treated like IT assets, with lifecycle planning, end-of-support tracking, and risk-based replacement strategies.

Six Practical Steps Integrators Can Take Now

To support convergence in healthcare environments, integrators don’t need to become cybersecurity experts; however, they do need to operate with a convergence mindset. Here are six steps that can be implemented immediately:

1. Map Every Integration and Dependency: List what systems talk to which networks, which servers are on-premises vs. cloud, and which devices rely on shared infrastructure. This is the simplest way to expose hidden risks.

2. Build Basic Cyber Awareness into Every Project Team: Train technicians, PMs, and support staff on the fundamentals, such as ports, VLANs, default credentials, secure remote access, password hygiene, and update cycles.

3. Standardize Documentation: Create repeatable documentation templates for device inventories, network diagrams, firmware logs, and integration points. This reduces confusion between Facilities, IT, and vendors.

4. Engage IT Early: Don’t wait until two weeks before substantial completion to involve IT.
Bring them in during design, submittals, and network planning.

5. Set Clear Boundaries for Vendor Access: Require MFA, audit logs, and time-bound access windows for all remote vendor support.

6. Communicate Like a Partner, Not a Contractor: Explain risks, articulate dependencies, and align system behavior with clinical workflows. When integrators elevate the conversation, the customer elevates the program.

The Future: Convergence as a Clinical Enabler

Security has historically been seen as a cost center – necessary, but separate from patient care. Convergence changes that. When physical and cyber systems are properly aligned, hospitals can improve emergency response times, reduce workplace violence, protect sensitive patient information, support staff efficiency and mobility, enable operational analytics, simplify compliance, and create safer healing environments

In this future, security is not just a set of systems; it is a clinical asset. It supports patient flow, protects caregivers, strengthens resiliency during crises, and reduces operational friction across the facility. The organizations that embrace convergence will be the ones that deliver safer, more efficient, and more trustworthy care.

The healthcare sector is moving toward a world where every system is connected, every workflow is digital, and every device is a potential attack surface. Hospitals cannot navigate this alone. They need partners who understand both the built environment and the digital domain.

Integrators and consultants sit at that intersection. Those who adapt, who learn the language of IT, who embed cyber awareness into physical deployments, who collaborate early and communicate clearly, will not only reduce risk but differentiate themselves in a rapidly shifting market. Those who do not will find themselves on the outside of major healthcare projects, watching more converged-minded competitors take the lead.