Healthcare organizations are rethinking how physical security supports not only safety, but operational resilience, workforce protection, and patient experience. According to healthcare-specific findings from Genetec’s 2026 State of Physical Security Report, hospitals and health systems are prioritizing deployment flexibility, artificial intelligence, and cross-department collaboration amid a measurable increase in physical security incidents.
Based on insights from physical security professionals working in or with healthcare environments worldwide, the report highlights how security strategies are evolving in response to rising threats, staffing challenges, and aging infrastructure.
Hybrid-cloud deployment remains central to healthcare resilience
Hybrid-cloud deployment models continue to dominate healthcare security strategies, reflecting the sector’s need for flexibility, control, and long-term adaptability. Nearly six in ten respondents cited continuous updates and software upgrades as the primary driver for adopting cloud or hybrid systems, followed by cost savings and faster deployment timelines.
Disaster recovery and data ownership also ranked high, underscoring healthcare’s regulatory complexity and the operational risks associated with downtime.
“Healthcare organizations are taking a measured, strategic approach to modernization,” said Dale Martin, Key Account Manager, Healthcare at Genetec. “Flexible deployment options support long-term planning and goals while allowing organizations to adapt as operational and clinical needs evolve.”
For many health systems, hybrid models offer a pragmatic path forward—modernizing without sacrificing control over sensitive data or disrupting mission-critical workflows.
The report reveals that security modernization is increasingly constrained by workforce realities. Training and upskilling staff was identified as the top challenge for healthcare organizations, followed closely by aging IT infrastructure and difficulty attracting and retaining talent.
These pressures are influencing how healthcare organizations set priorities. Rather than pursuing standalone technology upgrades, many are focusing on solutions that simplify operations, reduce manual workloads, and integrate more seamlessly with existing systems.
Looking ahead to 2026, access control emerged as the top planned investment area, followed by AI and video surveillance. The emphasis reflects a shift toward proactive security models that can scale without requiring proportional increases in staff.
AI adoption accelerates across physical security operations
Artificial intelligence is moving from experimentation to operational necessity in healthcare security environments. Nearly half of respondents plan to leverage AI to streamline security processes, signaling growing confidence in AI-driven tools for monitoring, analysis, and response.
AI-enabled security systems can help identify patterns, reduce false alarms, and surface actionable insights faster—capabilities that are particularly valuable in healthcare settings where security teams are often stretched thin and incidents can escalate quickly.
At the same time, the report highlights growing collaboration between physical security teams and other departments, including human resources and facilities management. This reflects a broader understanding that security is no longer siloed, but deeply connected to workforce safety, compliance, and day-to-day operations.
Physical security incidents continue to rise in healthcare settings
The urgency behind these investments is clear. Healthcare organizations reported significant increases in physical security incidents over the past year, including physical attacks on employees, verbal assaults, unauthorized entry, break-ins, and insider theft.
These trends mirror broader concerns across the healthcare sector around workplace violence, access control challenges, and the need to better protect frontline staff. As incidents increase, health systems are under pressure to respond faster and with greater situational awareness.
Security operations become increasingly data-centric
To address rising risks, healthcare organizations are expanding how security data is shared and used across the enterprise. More than half of respondents are now sending access activity data from security operations centers to other systems, while many also share alarms, incident data, and video or audio information.
At the same time, security operations centers are ingesting data from cybersecurity tools, asset monitoring systems, HR platforms, and external threat intelligence sources. This bidirectional flow of information reflects a convergence of physical security, cybersecurity, and operational intelligence.
Rather than serving solely as a reactive function, physical security is becoming an integrated data source that supports broader organizational awareness and decision-making.
Physical security data supports operational and experience goals
Healthcare organizations are increasingly using physical security data to drive outcomes beyond traditional safety metrics. The top objectives cited include improving safety and security, increasing operational efficiency within security teams, supporting regulatory compliance, and enhancing employee and patient experience.
Many organizations are also leveraging security data for occupancy management and space utilization, supporting broader operational efficiency efforts across departments.
As healthcare organizations face mounting pressures—from workforce shortages to rising violence and tighter budgets—the role of physical security continues to expand. The findings from Genetec’s 2026 report suggest that flexible architectures, AI-driven insights, and cross-functional collaboration will be essential to building safer, more resilient healthcare environments.
Email continues to be the lifeblood of communication in healthcare. From coordinating care among clinical teams to sharing lab results and scheduling appointments, email is a fast, familiar, and fully integrated part of nearly every workflow. Yet, the very convenience that makes it indispensable also makes it one of the riskiest points of exposure for patient information and organizational security.
In healthcare, the impact of an email breach goes beyond just financial loss. A misaddressed email, an incorrect attachment, or a single successful phishing attempt can compromise sensitive information, including diagnoses, lab results, and personal identifiers. These details are extremely valuable to cybercriminals, posing risks such as identity theft, fraudulent insurance claims, and tampered medical records that can directly impact patient safety and well-being.
The Shift from Technical Exploits to Human-Centric Attacks
Cybercriminals are increasingly shifting away from complex technical exploits and instead using personalized deception tactics. Recent research indicates that over half (58%) of phishing websites now utilize unidentifiable phishing kits, such as Evilginx, Tycoon 2FA, and 16shop, that are difficult to detect and are increasingly powered by AI. These kits enable cybercriminals to create highly personalized attacks that exploit both technology and human behavior, allowing them to bypass traditional security measures.
Business Email Compromise (BEC) remains a significant threat, with 82% of attacks involving impersonation of CEOs or senior leaders. This tactic is used to pressure employees into transferring funds or revealing sensitive information. Additionally, the targeting of specific regions is changing, with Danish, Swedish, and Norwegian executives increasingly vulnerable, alongside traditional English-speaking targets.
Malware: A Persistent Threat
Malware continues to heighten risks, with Lumma Stealer identified as the leading malware strain. It spreads through attachments or links from compromised cloud services. The malware-as-a-service model is particularly appealing, as it offers cost-effective access and support for both inexperienced and experienced attackers. This approach lowers the barrier to entry while maintaining high effectiveness.
Phishing lures are carefully designed to exploit human behavior. Financial incentives, urgency appeals, and account updates are the primary components of most malicious messages. Open redirects and compromised websites conceal the ultimate destination, making links appear legitimate, while PDFs, often embedded with QR codes, remain the most common vector for attachments.
These attacks are not random but carefully orchestrated to harvest sensitive data — at scale.
Human Error: The Weakest Link
Despite the sophistication of various cyber threats, human error remains the weakest link in cybersecurity. Healthcare professionals operate in high-pressure environments, balancing the demands of patient care with administrative tasks. In these situations, it’s easy to mistakenly send an email to the wrong recipient, mislabel an attachment, or click on a link that seems legitimate.
Additionally, healthcare organizations often rely on external partners for scheduling, billing, and communications, which involve handling protected health information (PHI). If a vendor is compromised, the covered entity remains responsible for the breach and its consequences.
This interconnectedness underscores why email security should not be viewed solely as an IT issue; it is a top organizational priority.
Beyond Perimeter Defenses: A Human-Centric Approach
Mitigating email risk requires more than just perimeter defenses. While encryption, multi-factor authentication, and phishing filters are essential, they are not enough on their own. These tools need to be complemented by user-focused safeguards that provide staff with real-time assistance. Practical measures include recipient confirmation prompts, content alerts when potentially harmful information is detected, and in-the-moment security reminders. These mechanisms serve as checkpoints, helping to prevent mistakes before they happen.
Training is also crucial, but it needs to be ongoing and integrated into daily workflows, rather than being limited to annual modules. Short, bite-sized lessons, simulated phishing exercises, and reminders that are embedded in workflows help reinforce awareness, ensuring that staff keep security in mind even under pressure. When security awareness is woven into daily operations, it becomes second nature for everyone involved.
The Role of Technology in Enhancing Email Security
While human-centric approaches are essential, technology also plays a crucial role in enhancing email security. Advanced email security solutions can detect and block malicious attachments, links, and impersonation attempts before they reach users’ inboxes. Machine learning algorithms can analyze email patterns and behaviors to identify anomalies indicative of phishing or business email compromise (BEC) attacks.
Furthermore, integrating email security with other systems, such as endpoint protection and identity management, creates a layered defense that can respond more effectively to threats. This holistic approach ensures that even if one layer is bypassed, others remain in place to protect sensitive information.
Legal and Regulatory Implications
The legal and regulatory landscape surrounding email security in healthcare is complex and continually evolving. Organizations must comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA), which mandates the protection of protected health information (PHI). A breach resulting from an email-related incident can lead to significant legal consequences, including hefty fines and damage to reputation.
Moreover, patients trust healthcare organizations to safeguard their personal information. Protecting email communications is not just a legal obligation but is necessary to maintain patient trust.
Practical Steps for Healthcare Organizations
Healthcare organizations can implement several practical steps to enhance email security:
Implement Advanced Email Security Solutions: Utilize email security tools that can detect and block malicious content, impersonation attempts, and phishing attacks.
Educate and Train Staff: Provide ongoing training for staff on recognizing phishing attempts, securely handling sensitive information, and following best practices for email communication.
Establish Clear Policies: Develop and enforce policies regarding the use of email for transmitting sensitive information, including guidelines for encryption and authentication.
Monitor and Respond to Threats: Continuously monitor email traffic for signs of suspicious activity and have a response plan in place for addressing potential incidents.
Collaborate with Third-Party Vendors: Ensure that third-party vendors handling PHI adhere to the same security standards and practices to mitigate the risk of breaches.
Conclusion
Ultimately, protecting email in healthcare is not merely a compliance requirement; it is a critical aspect of ensuring patient safety. It is central to preserving patient trust, safeguarding clinical integrity, and ensuring uninterrupted care delivery. Each secure message helps prevent identity theft, fraudulent claims, and mismanaged records, directly supporting our mission to put patients first.
As cyber threats evolve and human error remains persistent, healthcare organizations must adopt strategies that combine robust technology with human-centered approaches. By doing so, they can reduce both accidental and malicious breaches, protecting the information that matters most, the health and safety of patients.
VIPRE Security Group, a global leader and award-winning cybersecurity, privacy, and data protection company, has released its email threat landscape report for Q2 2025.
Through an examination of worldwide real-world data, this report sounds the alarm on the most significant email security trends observed in the second quarter of 2025, enabling organizations to develop effective email security defenses for the remainder of the year.
Unidentifiable phishing kit deployments
A striking 58% of phishing sites now use unidentifiable phishing kits. Cybercriminals are deploying unidentifiable phishing kits to propagate malicious campaigns at scale, indicating a trend towards custom-made or obfuscated deployments. These phishing kits can’t easily be reverse-engineered, tracked, or caught. AI makes them affordable, too. Among the most prevalent are Evilginx (20%), Tycoon 2FA (10%), 16shop (7%), with another 5% attributed to other generic kits.
Manufacturing is the top target sector
For the sixth quarter in a row, the manufacturing sector remains the prime target for cybercriminals. In Q2 2025, manufacturers faced the highest volume of email-based attacks – 26% of all incidents – encompassing BEC, phishing, and malspam threats. Retail follows, accounting for 20% of attacks.
Healthcare is close behind at 19%, reflecting a consistent trend observed since last year and through Q1 2025.
English-speaking executives remain the most targeted for BEC emails (42%), a significant portion are Danish (38%), with the Swedish and Norwegian comprising a combined 19%. Critical corporate communications – especially within HR, finance, and executive teams – often take place in native languages, making localized attacks more convincing.
Impersonation is the most common technique used in BEC scams, with 82% of attempts targeting CEOs and executives. The remaining impersonation efforts are aimed at directors and managers (9%), HR personnel (4%), IT staff (3%), and school heads (2%).
Lumma Stealer, the malware family of the quarter
Lumma Stealer is the most encountered malware family found in the wild during Q2. Analysis shows that it is often delivered via malicious .docx, .html, or .pdf attachments, or through phishing links hosted on compromised or legitimate-looking cloud services such as OneDrive, and Google Drive.
Lumma Stealer is sold as Malware-as-a-Service (MaaS), making it accessible to a broad range of cybercriminals. With active developer support and low cost, it is proving attractive to both novices and experienced cybercriminals.
Top bait, hook, and reel-in tactics
Financial lures representing 35% of the samples – emails regarding money, financial errors, fiduciary imperatives, and such – are the number one ploy used by cybercriminals to get users to open malicious emails. Urgency-based messaging (25%) is the second most tried approach, followed by account verification and updates (20%), travel-themed messages (10%), package delivery (5%), and legal or HR notices (5%).
For phishing delivery, the majority (54%) of cybercriminals leveraged open redirect mechanisms, with legitimate-looking links hosted on marketing services, email tracking systems, and even security platforms to mask the true malicious destination. Compromised websites (30%) are the next most prevalent link delivery method, followed by the use of URL shorteners (7%).
While PDFs (64%) remain the preferred vehicle for delivering malicious attachments, an increasing number now feature embedded QR codes designed to carry out attacks.
Finally, cybercriminals are finishing off their attacks with various exploitation mechanisms, the most observed being HTTP POST to remote server accounting (52%) and email exfiltration (30%).
“It’s clear what the threat actors are doing – they are outsmarting humans through hyper-personalized phishing techniques using the full capability of AI and deploying at scale,” Usman Choudhary, Chief Product and Technology Officer, VIPRE Security Group, says. “Organizations can no longer rely on standard cybersecurity processes, techniques, and technology. They need comprehensive and advanced email security solutions that can help them to deploy like-for-like defenses – at the very least – if not help them stay a step ahead of the tactics used by cybercriminals.”
VIPRE leverages its vast understanding of email security to equip businesses with the information they need to protect themselves. This report is based on proprietary intelligence gleaned from round-the-clock assessment of the cybersecurity landscape.
By Errol Weiss, chief security officer, Health-ISAC.
Healthcare data breaches are reaching unprecedented levels, with attacks that target the industry surging in both frequency and sophistication. Cybercriminals are zeroing in on vulnerabilities across healthcare systems, exploiting outdated and unpatched systems to steal and manipulate sensitive patient data.
From medical histories to genomic information, this data has immense value, making it a lucrative target for ransomware, phishing schemes, and insider threats. As healthcare organizations scramble to shore up defenses, the risks extend beyond financial losses to jeopardize patient safety and trust.
The urgency is exemplified by two landmark pieces of legislation—the Healthcare Cybersecurity Act of 2024 and the Health Infrastructure Security and Accountability Act of 2024 (HISAA). These laws aim to confront the mounting threats, but they also raise critical questions: Can they outpace the rapidly evolving tactics of cybercriminals? Are they enough to close the gaps left by outdated regulations like HIPAA?
Limitations of existing legislation
The limitations of existing regulations like the Health Insurance Portability and Accountability Act (HIPAA), reveal why new measures are necessary to address today’s cybersecurity challenges. When HIPAA was enacted in 1996, its primary focus was ensuring the confidentiality of patient information and establishing basic standards for privacy and compliance. While it has played a pivotal role in protecting patient data, HIPAA’s framework has not kept pace with the increasingly sophisticated cyber threats facing healthcare organizations.
As it stands, HIPAA has become largely a reactive framework for punishment, focusing on penalizing organizations after data breaches occur, rather than implementing proactive measures to prevent them. Its provisions leave much of the “how-to” for securing digital infrastructure undefined, offering flexibility but creating wide disparities in cybersecurity practices. Large healthcare providers with robust resources have the ability to invest in advanced protections, while smaller clinics and rural providers struggle to implement even basic measures due to financial and technical limitations.
In healthcare, data breaches and cyber threats can disrupt patient care, compromise sensitive information, and even lead to financial losses.
A strong cyber resilience plan isn’t just about preventing attacks; it’s about preparing, responding, and recovering quickly if one occurs.
Here’s a step-by-step guide to building a cyber resilience plan tailored to the healthcare industry, ensuring your organization is well-prepared for cyber threats while maintaining patient trust.
1. Assess Your Current Cybersecurity Position
Begin by evaluating your cybersecurity strengths and weaknesses. Identify all digital assets linked to your network to uncover potential vulnerabilities. These include patient data systems and any third-party software, such as electronic health record (EHR) platforms. It’s also crucial to assess any digital health tools, like mobile apps or wearable tech integrations, that interact with patient data.
Once you’ve mapped out your assets, review defenses like firewalls, encryption, and system access policies to establish a baseline. This helps pinpoint gaps, providing a clearer picture of where to prioritize security improvements.
2. Set Clear Goals for Cyber Resilience
Define what “cyber resilience” means for your healthcare organization, focusing on maintaining essential services, protecting sensitive data, and reducing recovery time during an attack. These goals are critical in healthcare, where patient care depends on system availability.
Setting benchmarks, such as maximum allowable downtime or acceptable data loss, gives your team clear, measurable outcomes. This alignment ensures everyone understands the plan’s priorities and what success looks like.
3. Implement Cloud Security
Cloud technology is essential in healthcare for storing and sharing patient data, but it brings unique risks. Strengthening cloud security involves using multi-factor authentication (MFA) for system access and encrypting all data stored or transferred in the cloud.
Choose cloud providers who comply with healthcare regulations and conduct regular audits to ensure ongoing security. With robust healthcare cloud security measures, you protect patient data and enhance recovery options if a cyber incident occurs.
4. Develop Incident Response and Recovery Protocols
An effective resilience plan includes detailed incident response and recovery protocols. Your response plan should outline immediate steps for a breach, such as identifying the threat, containing it, and notifying affected parties under the Health Insurance Portability and Accountability Act (HIPAA) guidelines.
Disaster recovery protocols focus on restoring systems and retrieving data quickly, minimizing operational disruption. Automated backup tools help reduce downtime, and regular testing ensures readiness for real-world incidents.
5. Train Your Staff in Cybersecurity Awareness
Employee mistakes are a frequent cause of security incidents, often due to actions like clicking unsecured links, sharing passwords, or ignoring security alerts. Regular training equips your team to identify phishing emails, avoid unauthorized software downloads, and report unfamiliar devices connected to hospital equipment.
Additionally, encourage proactive security habits, such as locking screens when away, securing personal devices used for work, and updating passwords regularly. Hands-on activities, like unauthorized access scenarios or fake login prompts, help employees practice responses effectively. A culture of cybersecurity awareness empowers staff to safeguard data, fortifying your defense against potential breaches.
By David Sampson, VP of Cyber Risk & Strategy, Thrive.
In February, hackers took Change Healthcare offline in one of the most high-profile and wide-reaching cyberattacks to date. Change Healthcare serves hundreds of thousands of providers in the U.S. and processes billions of transactions every year. With Change Healthcare’s systems compromised, cash stopped flowing for hospitals and physician offices everywhere. Providers couldn’t submit new claims, pharmacies couldn’t charge appropriately for prescriptions, and prior authorizations couldn’t go through for critical procedures.
Even after Change Healthcare’s parent entity, UnitedHealth Group, paid a $22 million ransom to the group behind the attack, there’s still risk that sensitive patient data could be leaked online. More importantly, the healthcare industry saw how a cyberattack on a third-party vendor could directly interfere with patient care.
Unfortunately, cyberattacks on the healthcare industry are growing – and, like the Change Healthcare attack, can wreak havoc on everyday operations and impact patient safety. However, if hospitals take the right precautions, they can mitigate these risks and better protect themselves from hackers, ransoms, and disruptions to business.
The Importance of Evaluating Third-party Vendor Risk
Healthcare organizations often rely on third-party vendors for various services. Delivering high-quality patient care is complicated in and of itself. Building an ecosystem that includes services and solutions like telemedicine, wearables, digital electronic medical records (EMRs), patient-centered mobile apps, and other cutting-edge innovations is impossible for smaller healthcare providers.
Many times, the best way to extend the range of services offered is to work with third-party vendors. The problem is this outsourcing expands the surface area of attack for cyber criminals. Every third-party vendor relationship comes with a new IT integration and potential entry point for hackers. In other words, more third-party vendors means increased organizational risk.
Healthcare leaders must recognize this tradeoff and think intentionally about how best to strike the balance between healthcare excellence and IT integrity. Before onboarding a new vendor, providers must conduct thorough audits, identify all vulnerabilities, and work constantly to ensure systems are integrated in a safe, secure, and resilient fashion. This is not a point-in-time exercise, but one that both healthcare providers and vendors have to engage in regularly to keep intruders away from sensitive patient data.
By Todd Moore, vice president of data security products, Thales.
On Nov, 13, 2023, New York Governor Kathy Hochul proposed a new set of cybersecurity rules for state hospitals. This includes a mandate that hospitals must develop their own programs and response plans and appoint chief information security officers (CISOs). The regulations are part of a statewide cyber strategy that Hochul launched in August to improve cyber resilience as attacks continue to rise.
The strategy is built on three central principles: Preparedness, Resilience, and Unification. It is also New York’s first roadmap to mitigate cyberthreats and attacks and has a long road ahead to combat the growing phishing and ransomware attacks across the state.
Are the regulations up to the task? Let’s take a look.
Preparedness
Tackling multiple cybersecurity threats in recent years may have weathered healthcare’s capacity for self-defense. But the industry is still more vulnerable than most. According to the Thales 2023 Healthcare and Life Sciences (HLS) Report, 71% of healthcare organizations have cited an increase in ransomware attacks this year, far higher compared to other industries at 49%. The higher frequency is mainly due to the vast personal data they store (medical records, PII, etc.) that present a goldmine for identity theft.
Under Hochul’s proposal, preparedness will involve providing advice and guidance to ensure New Yorkers are empowered to take charge of their own cybersecurity. Healthcare facilities will have to develop their own cyber programs and incident response plans, with written policies, procedures, and regular risk and response assessment tests in place.
From a glance, these give facilities a good foundation on which to establish their cybersecurity strategies, particularly for the less tech-savvy ones. But while the regulations are a good starting point and may develop expansively, right now we’ve only gotten high-level objectives. There isn’t a clear direction for managing crucial resources in use, such as the cloud, which could undermine Hochul’s efforts to foster resilience and unification.
Resilience
We live in a multi-cloud reality. Nearly 90% of healthcare respondents deploy two or more cloud providers to better manage data. Over the past year, data security in the cloud has become increasingly complex (from 44% to 55%). Unfortunately, this makes cloud resources a leading target for attackers, particularly for healthcare (78%) over other industries (67%).
In September, Mikael Öhman took the helm of CORL Technologies, tech-enabled managed services for vendor risk management and compliance, and its sister organization Meditology Services, which provides information risk management, cybersecurity, privacy, and regulatory compliance services for the healthcare industry.
Öhman comes to CORL and Meditology from KMS Healthcare, where he was CEO of the global technology services company. Previously, he was a consultant at McKinsey and Company in Stockholm and Atlanta, managed international operations for Cerner, and led mergers and acquisitions for McKesson’s IT business. In addition to his executive health IT experience, which also includes serving as COO for software, services, and device companies, Öhman co-founded an urgent care business that was sold to Piedmont Urgent Care by Wellstreet.
We recently sat down with Öhman to discuss the current healthcare cybersecurity landscape, what’s on the horizon, and his plans for CORL and Meditology.
EHR: How would you describe the current state of cybersecurity in healthcare?
Öhman: Big, big, big worry. For everybody. Anytime you look at the news, you hear about another health system getting hit with a ransomware attack or a vendor being hacked. That’s why cybersecurity is absolutely a key priority. The bad guys know that healthcare data has tremendous value; you can get rich by holding somebody’s data hostage or selling it.
Healthcare is complex. It requires a highly networked system with many vendors involved at many different points. Data doesn’t just live in one place anymore. While all the data sharing and integration points to move information between on-premises systems and cloud environments are fabulous, they also raise the security threat level by magnitudes. The criminals are going to find the weakest link. When they do, the damage that can be done because of data aggregation is much, much higher. It’s why security is an obvious priority.
Managing and securing healthcare is a much bigger job now than it was 10 years ago when most of your systems were sitting in a data center behind your own four walls. You could see and touch it and feel that you had control. Now, there is a proliferation of cloud-based and SaaS vendors that, if not properly vetted and controlled, can create new exposure points that you may not know even exist. Every provider and payer – anybody using multiple vendors – must be prepared because it’s going to continue to get riskier every single day as new technologies come out.
Healthcare organizations are rethinking how physical security supports not only safety, but operational resilience, workforce protection, and patient experience. According to healthcare-specific findings from Genetec’s 2026 State of Physical Security Report, hospitals and health systems are prioritizing deployment flexibility, artificial intelligence, and cross-department collaboration amid a measurable increase in physical security incidents.
VIPRE Security Group
In healthcare, data breaches and cyber threats can disrupt patient care, compromise sensitive information, and even lead to financial losses.
