3.13.25 -SIW – Steve Lasky
Insights on integrating cybersecurity, physical security and training to safeguard healthcare facilities
The Skinny
- Escalating Security Threats: Healthcare facilities face rising workplace violence, cyberattacks targeting patient data, and insider threats, requiring a multi-layered security approach that integrates physical and cybersecurity measures.
- Budget Challenges & Strategic Investments: Hospitals must align security investments with organizational goals, explore alternative funding (e.g., grants), and prioritize cost-effective technologies like AI surveillance and cloud-based systems.
- Staff Training & Preparedness: A robust security posture depends on well-trained personnel; ongoing scenario-based training, de-escalation techniques, and trauma-informed approaches are essential for both physical and cyber threats.
- Collaboration & Proactive Measures: Strengthening partnerships with law enforcement, industry organizations, and cybersecurity teams ensures a holistic approach to threat mitigation, reinforcing healthcare security resilience.
Hospitals and healthcare facilities are under siege from an evolving array of security threats, both physical and digital. Cyberattacks targeting patient data, rising incidents of workplace violence, and budgetary constraints on security technology are creating a high-stakes environment for healthcare security professionals. Industry leaders stress that an integrated approach—encompassing cybersecurity, physical security, staff training, and strategic collaborations—is essential for ensuring patient and staff safety.
The Biggest Threats Facing Healthcare Security Today
A veteran healthcare security expert and chief consultant with WarSec, Bryan Warren notes that workplace violence remains one of the most pressing challenges. “While it may seem cliche at this point, workplace violence remains one of the top routine threats facing healthcare and social workers across the globe. This term includes a broad spectrum of activities, from simple verbal threats to caregivers up to and including terrorist attacks on hospitals. While somewhat less sensational, cyber-attacks, including the theft of protected health information for identity theft or targeted ransomware attacks for financial gain or service disruption, can be just as devastating to a healthcare facility if they are not sufficiently protected.”
Warren explains that the impact on caregivers is immense, and security strategies must reflect the reality that healthcare is an inherently high-risk industry.
Tony W. York, Executive Vice President of Healthcare at Paladin Security Group, agrees, emphasizing that patient-generated violence is an increasingly common occurrence across healthcare settings. “Nearly 50% of emergency physicians report being assaulted, and 70% of emergency nurses say they’ve been hit or kicked on the job,” York says. “This violence extends beyond emergency rooms and behavioral health units—it’s affecting every department, including ICUs, maternity wards, and even outpatient facilities.”
York goes on to say that the level of violence has intruded into all aspects of the healthcare delivery system, impacting clinical care providers and security staff not just in the emergency department or a dedicated behavioral health unit but in virtually every area of the hospital, including intensive care, mother-baby, surgical recovery, step-down, and general medical care floors. “Patient-generated violence is not limited to just the hospital proper, it is commonly found in outpatient clinics, ambulatory care centers, free-standing emergency departments, urgent care centers, and even home health and hospice,” he says.
Cybersecurity threats are equally pressing. Shawn Reilly, CPP, PSP, CHPA, CPD, Risk Evaluation and Security Training Program Development at Tech Systems Inc., and an expert in healthcare security risk assessment, points out that cyberattacks, particularly ransomware, can be as damaging as physical security breaches. “Cybercriminals are targeting healthcare facilities because of the high value of patient data,” Reilly says. “What’s often overlooked is the intersection between cyber and physical security. A surprising percentage of successful cyberattacks begin with a failure in physical security, like an unattended workstation or unsecured server room.”
Lisa Terry, a senior consultant at Vizient, adds that insider threats—whether malicious or unintentional—also pose a significant risk. “Data breaches caused by employees clicking on phishing links, stealing medical information, or mishandling patient records are a growing concern,” Terry notes. “Malicious or negligent actions by employees or contractors can compromise data or operations and are examples of insider threats. If not adequately secured, Internet of Things (IoT) vulnerabilities can exist with connected medical devices, video, and electronic access systems. These systems can be exploited as entry points for larger attacks.”
Balancing Budget Constraints with Security Investments
Hospital security budgets are often stretched thin, forcing security leaders to prioritize their investments carefully. York stresses that successful healthcare security programs link their security master plans with organizational strategies. “Security and overall employee well-being should be a fundamental underpinning of the strategic, cultural, and risk management plans curated by every health system. Where it is, significant investment into the overall protection posture is followed. For example, healthcare security programs that directly link their security master plans with the overall talent strategies of the health system are consistently finding much more success in obtaining the capital resources needed to invest in advanced security technology.” he explains that security shouldn’t just be a compliance checkbox—it should be part of a hospital’s cultural and strategic planning.
Yorks says: “However, those programs that fail to integrate their security plans with organizational culture, talent, and risk strategies are still being asked to ‘just do more with less.’”.
Warren agrees and highlights that security professionals should be included in early discussions about new technology. “Hospitals must be strategic about what new advanced security technology they bring in. They must look closely at not only the ROI but also how such systems might impact patient care and any potential threats that it might bring with it such as potential gateways that adversaries can use to infiltrate their networks,” he says. “One of the most important aspects regarding budgets and resource allocation is how organizational leadership views security – as a cost center or as a business investment.”
Lisa Terry suggests alternative funding options, such as grant programs. “Applying for grants and public funding is an excellent way to enhance the budget for security technology. Government programs such as the Nonprofit Security Grant Program and the Victims of Crime Act often provide incremental funding for improving healthcare infrastructure, including security measures,” she notes. “Cloud-based security systems can provide a cost-effective, scalable solution for both physical and cyber defenses. Technologies like AI-powered surveillance systems may be an alternative to enhance physical security. Collaborative purchasing and efficiencies can be achieved as healthcare organizations partner with group purchasing organizations to lower expenses and purchase advanced technologies at lower costs.”
Reilly offers that to manage costs, many facilities spread out technology investments over several years. The first step is to assess the physical protection system (PPS), which includes policies, procedures, equipment, and manpower. Policies and procedures often cost little to implement but can yield significant benefits.
“Consider equipment that deters, delays, and detects threats. Advanced video, access control, and alarm systems are increasingly common, yet many organizations underutilize these tools. Today’s systems often have capabilities like camera call-ups triggered by alarm features that many users overlook,” emphasizes Reilly.
The Role of Staff Training in Security Preparedness
An organization’s security posture is only as strong as its staff’s preparedness. Warren describes an effective security program as a “three-legged stool” encompassing physical, operational, and cultural security. “The best access control system is useless if staff don’t know how to use it properly,” he says. “Security awareness needs to be embedded in the hospital culture.”
York emphasizes that training clinical staff to handle violent patient encounters is critical. “Healthcare security officers often work alongside nurses and doctors to de-escalate aggressive behavior,” he explains. “Training programs should focus on verbal de-escalation techniques and intervention strategies that prioritize patient safety while protecting staff.”
Reilly adds that ongoing, scenario-based training is essential for security teams. “One-off training sessions are not enough,” he says. “Security personnel should be regularly tested with real-world scenarios, including active shooter drills and cyber breach simulations.”
Terry highlights the importance of trauma-informed training. “Security staff must be trained in handling incidents with compassion and professionalism, particularly when working with behavioral health patients,” she notes. “A well-trained team can defuse situations before they escalate.”
Cybersecurity Challenges in the Age of Telemedicine
The rapid rise of telemedicine has introduced new cybersecurity risks. Reilly acknowledges that while telehealth has improved patient access to care, it has also created vulnerabilities that hackers are eager to exploit. “Multi-factor authentication and end-to-end encryption are now essential for securing telehealth platforms,” he explains. “IT and security teams must collaborate closely to protect remote access.”
Terry adds that vendor management is another critical concern. “Healthcare organizations must conduct thorough risk assessments of any third-party telehealth provider,” she says. “Ensuring compliance with HIPAA and other regulatory frameworks is key to preventing data breaches.”
Warren warns that the rapid adoption of new technology can outpace an organization’s ability to secure it. “Remote access and the use of tools such as telemedicine have dramatically improved the access to and convenience of providing much-needed healthcare services to our communities, but they do pose a specific risk if they are not protected properly. IT and cyber security professionals must be at the forefront of planning and implementing such systems to prevent inadvertent exploitation of such technologies,” he advises. “Phishing techniques and other cybercrimes continue to evolve and improve just as security measures do. It’s like the old saying, ‘Build a better mousetrap, make a smarter mouse.”’
The Power of Strategic Partnerships
Collaboration is a fundamental aspect of effective healthcare security. Public-private partnerships, industry associations, and law enforcement collaborations enhance security preparedness.
Warren points to programs like the FBI’s InfraGard and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as valuable hospital resources. “These initiatives provide intelligence-sharing and security best practices that healthcare organizations can use to stay ahead of emerging threats,” he says.
Warren adds that there is also a growing trend regarding private sector professional associations and organizations pooling their respective expertise in the advancement of security and safety for the healthcare industry, such as the International Association for Healthcare Safety and Security (IAHSS) working closely with the Facility Guidelines Institute (FGI) as well as The Joint Commission in the creation and enhancement of standards and guidelines to assist in protecting patients, caregivers and visitors.
Terry underscores the importance of industry collaboration. “Organizations like the IAHSS and the Facility Guidelines Institute (FGI) are instrumental in developing security best practices,” she notes. “Hospitals that actively engage with these groups benefit from collective expertise. Building and fostering relationships with local police, fire departments, and emergency management teams strengthens emergency plans. Additionally, partnering with universities enables research into innovative security solutions tailored to healthcare.”
York highlights the need for strong relationships with local law enforcement. “Many hospitals don’t have an armed security presence on-site, so they rely on local police for rapid response,” he explains. “Regular coordination and joint training exercises can ensure a smooth response to emergencies.”
Reilly advocates for deeper integration between security and IT teams. “Cyber and physical security professionals should be working together, not in silos,” he says. “By fostering stronger partnerships, hospitals can address threats holistically.”
Moving Forward: A Unified Approach to Healthcare Security
Security professionals must adopt a proactive and integrated approach as threats to healthcare facilities continue to evolve. Warren, York, Terry, and Reilly’s insights emphasize the importance of effectively blending technology, training, and strategic collaboration to mitigate risks.
The healthcare industry must recognize security not as an operational expense but as a long-term investment in patient and staff safety. By aligning security with overall organizational strategy, ensuring staff preparedness, leveraging technology responsibly, and fostering strong partnerships, hospitals can create a resilient security framework that meets the challenges of an increasingly complex threat landscape.
About the Author
Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive
Steve Lasky is Editorial Director of the Endeavor Business Media Security Group, which includes SecurityInfoWatch.com, as well as Security Business, Security Technology Executive, and Locksmith Ledger magazines. He is also the host of the SecurityDNA podcast series. Reach him at steve@securityinfowatch.com.