Complicated vs. Complex: Why Modern Healthcare Demands a Unique Approach to Cybersecurity

The healthcare industry is undergoing a period of unprecedented transformation. The expansion of virtual health solutions, cloud-based apps and AI-enabled tools used within clinical workflows will only increase as Federal funding programs like the Rural Health Transformation Program incentivize digital transformation. This evolution in care delivery is long awaited and much needed in order for healthcare to become more scalable and to help drive down operational costs. However, the rapid adoption of technology can present a potentially dangerous paradox- as organizations modernize to support operational efficiency and empower clinicians to improve patient outcomes, they are simultaneously expanding their attack surface.

To address these growing risks and vulnerabilities, a new HIPAA Security Rule has been proposed to drive new requirements, enforcement mechanisms, and accountability in the industry. For these new requirements to be adopted successfully, it is imperative that we understand why the healthcare industry is unique from all other verticals and inherently more insecure. The answer is not complacency or lack of funding (although these may certainly be contributing factors), rather, the answer lies in the innate complexity of delivering patient care.

The Healthcare Insecurity Gap: Why it’s Different

Why is healthcare the most targeted industry for cyberattacks and why does the industry also lead in cost per breach? The cause has to do with the nature of healthcare delivery itself.

1. High-stakes availability: In finance or retail the ramifications of a breach are financial or reputational. In healthcare, a breach that renders systems unavailable is a critical operational crisis- potentially delaying access to patient data and hindering the delivery of care.
2. Data Value: Protected Health Information (PHI) is a goldmine for cybercriminals. It includes financial data, health information, social security numbers, insurance information, family history, and more. It can be used fraudulently for years before detection and cannot be easily canceled or changed like a credit card number.
3. The Interconnected Ecosystem: Healthcare does not occur in a silo. The average patient interacts with a web of hospitals, physicians’ groups, insurers, pharmacies, and 3^rd party vendors. This level of integration creates a massive attack surface where a vulnerability in network can easily propagate across the industry.

Complexity is the Enemy of Security: How Complex Processes are Different Than Complicated Ones

Complicated Systems: Anyone who has spent time learning the Lean Six Sigma manufacturing mindset understands that it is intended to boost performance by reducing cost, eliminating waste, and reducing process variation. In the 20^th century, this philosophy revolutionized manufacturing. It is largely based on the idea that any process, however “complicated”, if it is repeatable, can be managed, measured, and improved. We built rocket ships this way. This is also how we secure our financial system- by understanding the linear nature of the possible transactions and introducing controls.

Complex Systems: Healthcare delivery does NOT function in a linear, predictable way. Healthcare is often delivered in an urgent setting, each patient’s care pathway may be individualized (even if their disease and symptoms appear similar), interactions with their care team could be more ad-hoc depending upon availability. At its most basic, healthcare is not linear or predictable- it is complex. Regardless of the disease state, the specialty, or organization, healthcare delivery is complex- not easily predicted, non-linear, and may appear (on the surface) unstructured or ad-hoc.

Research has determined that this complexity is the primary driver of cybersecurity breaches. When information exchanges are ad-hoc and non-linear it is nearly impossible to analyze, test, and control an organization’s security posture. The most complex healthcare systems — with the largest varieties of health service referrals from one hospital to another — were 29% more likely to be breached than average. ¹

A Regulatory Maze: Preparing for Tomorrow’s HIPAA Security Rule

The HIPAA Security Rule is currently undergoing its most significant transformation in over two decades, shifting from a flexible “checklist” mentality to a rigorous “cybersecurity architecture” standard. As of March 2026, the Department of Health and Human Services (HHS) is finalizing a major overhaul of the HIPAA Security Rule that effectively eliminates the long-standing distinction between “required” and “addressable” safeguards. While these new standards are expansive and may feel overwhelming, a systematic approach to Zero Trust that takes into consideration the inherent complexity in the healthcare industry can provide a roadmap for improved security maturity.²

Cisco’s Approach

We understand the size of the elephant when it comes to healthcare cybersecurity, therefore we choose a bite-by-bite approach. When we look at a Zero Trust strategy, we tend to break it down into three focus areas: Workforce, Workload, and Workplace.

This approach to Zero Trust allows us to prioritize and make incremental progress on security controls and policies that are needed to scale. Each focus area has particular priorities that are critical to a fully developed Zero Trust strategy:

• Workforce: In healthcare we are thinking about secure remote connectivity (both for contractors, employees, and 3^rd parties), multi-factor authentication (MFA), role-based access controls, dynamic secure connectivity (SASE), monitoring of AI model usage, access, and information transmitted.
• Workload: By combining strong workforce controls with application micro segmentation and monitoring, as well as a comprehensive AI Governance strategy that includes DevOPs security and guardrails, the crown jewels can be better defended and in the event of a breach the blast radius will be greatly reduced.
• Workplace: One of the biggest challenges in healthcare is visibility and context- this is increasingly challenging when it comes to medical devices. In order to properly set network access controls (NAC) as well as segmentation policies it is critical to have the right technologies and enforcement strategy defined and in place.

 Cisco has a comprehensive portfolio of security solutions to help address the new HIPAA Security Rule standards. We also offer consultative services and assessments to help you evaluate your security posture and support your efforts to meet your compliance obligations.

How Can We Help?

The Customer Experience (CX) Healthcare Practice at Cisco is comprised of individuals who have experience in many different areas of the healthcare industry. We understand the unique challenges that the industry faces and work to help align technologies to healthcare specific outcomes. If you are interested in discussing your HIPAA Security Rule readiness, overall cybersecurity maturity, or our other advisory services, please reach out to use directly at: cxhealthcarebd@cisco.com.

1. Tanriverdi, Hüseyin, et al. “Taming Complexity in Cybersecurity of Multihospital Systems: The Role of Enterprise-wide Data Analytics Platforms.” MIS Quarterly, vol. 48, no. 1, 2024, https://doi.org/10.25300/MISQ/2024/17752.
2. Modernizing Cybersecurity for Healthcare. Cisco, 2026.