Access Control

Healthcare Security Has Outgrown Standalone Systems

Let’s Talk

By Kumar Sokka, CEO, Acre Security

Lately, when talking to healthcare security leaders, one thing has been coming up more than anything else: they know their security infrastructure is disconnected; they know it creates risk, and they’re not sure how to close the gap without a costly overhaul.

That’s not a failure of intent. It’s a consequence of how security was built in the healthcare sector. Over decades, physical security and cybersecurity have developed distinct disciplines with separate ownership. Facility teams would manage badge readers, cameras, and alarm panels where IT managed networks, servers, and software. Each domain had its own vendors, its own procurement cycles, and its own reporting lines. Understandably, back then the assumption was that running them independently was sufficient.

That assumption has since broken down in a big way – and the consequences are showing up in incident reports, compliance gaps, and operational risk that most organizations haven’t fully mapped out yet.

Now, with the most significant update to HIPAA in over a decade nearly final, the pressure to address that fragmentation is no longer just operational. It's regulatory.

Disconnected Infrastructure Is an Active Vulnerability

Here’s a scenario I use when I’m talking to hospital security teams:

A bad actor walks into a hospital, finds an unsecured server room, and plugs in a laptop. At what point does that become a cyber problem?

The answer is: immediately. And it never stops being a physical security problem either.

The reason is network convergence. Physical security devices – cameras, access control panels, intercoms, alarm systems – are no longer standalone hardware operating in isolation. They’re IP-connected devices running on the same infrastructure as clinical systems and patient records. A compromised camera becomes a network entry point. An unsecured access control panel can serve as a pivot to a server. A visitor who reaches a networked terminal has potentially bypassed digital defenses entirely – without even touching a keyboard.

The London hospital ransomware attack that shut down blood work operations didn’t begin with a sophisticated intrusion. It began with physical access to the facility. That’s the operational reality healthcare organizations are now working within. Disconnected security infrastructure doesn’t just create administrative friction; it creates exploitable gaps.

What Unified Security Infrastructure Requires

When I ask hospitals to describe their current security posture, the most common answer is: we have systems in place, but they aren't connected.

Most organizations have some level of physical security deployed. What's typically missing is a common operational layer – a way to manage access control, video, visitor management, and intrusion detection from a single platform rather than through separate consoles with no shared data.

The facilities that are furthest ahead aren't always the ones with the largest budgets. They're the ones that made a deliberate decision to stop procuring point solutions and start building toward integrated infrastructure. That shift changes what's possible: automated credential revocation, real-time access visibility across sites, incident response that correlates physical and digital events in a single view, and the list goes on. None of that is available when the systems can't communicate.

The fragmentation itself is also a cost driver, not just a security problem. Organizations running disconnected systems across multiple vendors face higher support overhead, inconsistent policy enforcement, and expensive integration work when they eventually need to consolidate. The organizations investing in unified infrastructure now are building an asset. The ones deferring it are accumulating technical debt with a compliance deadline attached.

The Compliance Forcing Function

The first major update to HIPAA in more than a decade is nearly final. It represents the clearest regulatory signal yet, noting that standalone, disconnected security systems are no longer adequate for healthcare environments.

Every control becomes mandatory – this includes multifactor authentication, encryption, network segmentation, annual penetration testing. And one requirement under the HIPAA access control rules that most organizations aren't prepared for: physical access credentials must be revoked within one hour of employee termination, across every facility, every door, every restricted area simultaneously. Can your current system do that?

This required function is not achievable with disconnected systems. It requires access control that integrates with HR workflows, so that credential revocation happens automatically when a termination is processed – not when someone remembers to chase down a badge. The infrastructure required to meet that single requirement is the same infrastructure that closes the broader gaps across the estate.

HHS estimates first-year compliance costs at $9 billion – in large part because so many organizations are paying to retrofit integration that should have been built in from the start. The facilities beginning this work now have a different path available. Proactive infrastructure investment is significantly less expensive than emergency remediation under a regulatory deadline.

The Safety Case Goes Beyond Compliance

I want to be direct about something. The HIPAA deadline is a forcing function — but it shouldn't be the only reason healthcare organizations are having this conversation.

The infrastructure required to meet the updated standards – unified access control, real-time monitoring, automated credential management, visitor screening – is the same infrastructure that makes hospitals genuinely safer for the people working in them every day.

The numbers make that case plainly. Healthcare workers are five times more likely to experience workplace violence than workers in any other industry, and US hospitals spent $18.27 billion on violence-related costs in 2023. These aren't abstract statistics — they reflect what happens when the systems designed to protect people operate in isolation from each other. Connected infrastructure doesn't just satisfy a compliance requirement. It closes the gaps that put staff at risk in the first place.

Compliance and operational safety aren't parallel goals. They're the same investment, finally being recognized as such.

What This Looks Like at the Point of Entry

One of the places I see disconnected infrastructure creating the most visible risk is visitor management. Hospitals are inherently open environments – patients, families, contractors, and vendors moving through constantly. That accessibility is operationally necessary. It's also one of the most consistent vulnerabilities in the security posture of most facilities.

Running background checks, issuing credentials, tracking who's in the building – most facilities still handle this manually, or with tools that sit outside their core security infrastructure. Under the updated HIPAA requirements, visitor management is explicitly in scope. It connects directly to the network segmentation and audit trail requirements that are expected to become mandatory later this year.

FAST-PASS is Acre's answer to this. It processes every visitor in seconds, cross-checks automatically against watchlists, and generates the compliance record as part of the workflow — not assembled after the fact. It connects directly into the broader access control platform, so visitor data isn't siloed the moment someone walks through the door. New visitors in 15–20 seconds, returning guests in under 10.

It's a practical example of what connected infrastructure looks like at the front door.  

FAST-PASS is part of the Acre Identity platform, which is built to support HIPAA, ISO 27001, and Joint Commission readiness from the ground up.

The Window Is Still Open

There are two ways healthcare organizations can approach the HIPAA deadline. The first path is to treat it as a line to clear – address the specific requirements, document compliance, and move on. That approach is expensive, produces compliance without capability, and leaves the underlying infrastructure problem unsolved.

The other is to treat this moment as the organizational catalyst to build security infrastructure that actually works – where unified systems, automated workflows, and real-time visibility become the foundation, and compliance is a byproduct rather than a project.

The tools to do this exist. The regulatory direction is clear. The organizations that make this investment now will emerge with hospitals where staff are safer, patients are better protected, and security operations are manageable at scale. That's the outcome worth building toward – and with the deadline approaching, the organizations that start now will have options that those who wait won’t.  

Ready to assess where your organization stands? Talk to our team

Kumar Sokka is CEO of Acre Security, which works with healthcare facilities, hospitals, and clinical campuses on physical security, compliance, and risk assessment. Learn more at acresecurity.com/industries/healthcare

CONTENTS
Example H2
Example H3
Example H4
Example H5
Example H6

Related Posts

Healthcare Security Has Outgrown Standalone Systems

Healthcare Security Has Outgrown Standalone Systems

Healthcare security leaders can no longer rely on disconnected systems. Kumar Sokka explains why unified physical security infrastructure is becoming essential for HIPAA compliance, operational resilience, and safer healthcare environments.
Read More
Healthcare Security Has Outgrown Standalone Systems
Access Control
Verkada vs Acre Security: Complete Security Platform Comparison

Verkada vs Acre Security: Complete Security Platform Comparison

Compare Verkada vs Acre across features, pricing, deployment, and scalability. See why Acre Security offers greater flexibility and control for enterprise environments.
Access Control
Access Control for Office: Why Acre Replaces Keys, Cards, and Operational Chaos

Access Control for Office: Why Acre Replaces Keys, Cards, and Operational Chaos

Modern office access control goes beyond keys and proximity cards. Learn how Acre Security helps organizations secure offices with cloud-native access control, mobile credentials, real-time visibility, and unified multi-site management.
Access Control
What's New in Acre Access Control: May 2026 Release

What's New in Acre Access Control: May 2026 Release

The May 2026 release of Acre Access Control introduces four new capabilities — including badge access-level synchronization and a full badge-print audit trail — and resolves three Classic Client defects. Here's what changed.