Complex vs. Complex: Why Today’s Healthcare Demands a Unique Cybersecurity Approach

The healthcare industry is going through a period of unprecedented change. The expansion of healthcare solutions, cloud-based applications and AI-enabled tools used within the clinical workflow will increase as Federal funding programs such as the Rural Health Transformation Program encourage digital transformation. This change in care delivery is long overdue and much needed so that health care can be streamlined and help lower operating costs. However, the rapid adoption of technology can produce something that may be dangerous – as organizations improve to support operational efficiency and empower doctors to improve patient outcomes, at the same time they expand their area of ​​attack.

To address these growing risks and vulnerabilities, the new HIPAA Security Act has been introduced to drive new requirements, procedures and responsibilities in the industry. In order for these new requirements to be successfully adopted, it is necessary to understand why the healthcare industry is unique from the rest and inherently more insecure. The answer is not complacency or lack of money (although these may certainly be contributing factors), rather, the answer lies in the inherent complexity of providing patient care.

The Health Care Gap: Why It’s Different

Why is healthcare the most targeted industry for cyberattacks and why is the industry also leading in cost per breach? The reason has to do with the nature of health care delivery itself.

1. High availability: In finance or retail the consequences of a crime are financial or reputational. In healthcare, a breach that makes systems unavailable is a major operational problem – potentially delaying access to patient data and disrupting the delivery of care.
2. Value of Data: Protected Health Information (PHI) is a gold mine for cybercriminals. It includes financial information, health information, social security numbers, insurance information, family history, and more. It can be fraudulently used for years before it is discovered and cannot be deleted or changed as easily as a credit card number.
3. The Interconnected Ecosystem: Health care does not occur in silos. The average patient interacts with hospital networks, physician groups, insurers, pharmacies, and 3.^rd party vendors. This level of integration creates a large attack surface where a cyber breach can easily spread throughout the industry.

Complexity Is the Enemy of Security: How Preferred Systems Are Different from Preferred.

Complex system: Anyone who has spent time studying the Lean Six Sigma manufacturing concept understands that it is intended to boost performance by reducing costs, eliminating waste, and reducing variable performance. In the 20s^th century, this philosophy changed production. It is mainly based on the idea that any process, however “complex”, if it can be repeated, it can be controlled, measured and improved. We built rocket ships this way. This is also how we protect our financial system – by understanding the potential nature of transactions and developing systems.

Complex system: Health care delivery does not operate in a limited, predictable manner. Health care is usually provided in a fast time, the way of care for each patient may be individual (even if the disease and their symptoms seem to be the same), the interaction with their care team may be urgent depending on their availability. At its most basic, health care is neither linear nor predictable – it is complex. Regardless of the disease state, practice, or organization, health care delivery is complex – ill-defined, ambiguous, and can appear (on the surface) disorganized or ad-hoc.

Research has found that this complexity is the root cause of cybersecurity breaches. When the exchange of information is sudden and asynchronous, it is almost impossible to analyze, evaluate, and manage the security posture of an organization. The most complex health systems – those with the largest number of transfers of health care services from one hospital to another – were 29% more likely to be skipped than average. ¹

The Regulatory Maze: Preparing for Tomorrow’s HIPAA Security Rule

The HIPAA Security Act is currently in its most critical phase in two decades, moving from a flexible “list” concept to a strict “cybersecurity architecture” standard. Beginning in March 2026, the Department of Health and Human Services (HHS) is completing a major overhaul of HIPAA Privacy Policy effectively eliminating the longstanding distinction between “necessary” and “resolvable” safeguards. While these new standards are expansive and may feel overwhelming, Zero Trust’s systematic approach that takes into account the complexity of the healthcare industry can provide a road map for improved security growth.²

The Cisco method

We understand the size of the elephant when it comes to healthcare cybersecurity, so we take a bite-by-bite approach. When looking at a Zero Trust strategy, we tend to break it down into three areas of focus: Work, Work and Workplace.

This Zero Trust approach allows us to prioritize and make incremental progress on the security controls and strategies needed to grow. Each focus area has key priorities in the fully developed Zero Trust strategy:

• Employees: In health we consider secure remote connection (both for contractors, employees and 3^rd parties), multi-factor authentication (MFA), role-based access control, strong secure connection (SASE), monitoring AI model usage, access, and information transmitted.
• Job: By combining strong human resources systems with a small division of application and monitoring, as well as a comprehensive AI Governance strategy that includes DevOPs security and expectations, the crown jewels can be better protected and in the event of a breach the explosion area will be greatly reduced.
• Workplace: One of the biggest challenges in healthcare is visibility and standardization – this is still very difficult when it comes to medical devices. In order to properly deploy network access control (NAC) and segmentation policies it is important to have the right technology and operational strategy defined and in place.

Cisco has a comprehensive portfolio of security solutions to help address the new HIPAA Security Rule standards. We also offer consulting and testing services to help you assess your security posture and support your efforts to meet your compliance obligations.

How Can We Help?

The Customer Experience (CX) Healthcare Practice at Cisco is comprised of individuals with experience in many different areas of the healthcare industry. We understand the unique challenges the industry faces and work to help connect the latest technologies with specific health care outcomes. If you are interested in discussing your HIPAA Security Act preparation, cybersecurity development in general, or other consulting services, please contact them directly at: cxhealthcarebd@cisco.com.

1. Tanriverdi, Hüseyin, et al. “Troubleshooting the Cybersecurity of Multihospital Systems: The Role of Enterprise Data Analytics Platforms.” MIS Quarterlyvol. 48, no. 1, 2024, https://doi.org/10.25300/MISQ/2024/17752.
2. Improving Cybersecurity for Health. Cisco, 2026.