In healthcare, a physical breach doesn't just mean stolen data. It can put patients, staff, and human life at risk. That's what makes physical security in this industry fundamentally different, and why every checklist-driven compliance program comes up short.

In January 2025, the Department of Health and Human Services (HHS) proposed the most significant update to the HIPAA Security Rule in over a decade. For the first time, physical security moved beyond afterthought status with new requirements for annual assessments, access control planning, and asset tracking.

These are overdue improvements. But for healthcare environments that remain wide open to attackers, they're not enough.

At Lares, we've walked into hospitals dressed as doctors using coats pulled from open closets. We've opened locked server rooms using party balloons and fish tank tubing. We've accessed crash carts, medication dispensers, and data closets while posing as staff. No malware. No code. Just physical access and misplaced trust.

As Eric Smith, Lares Co-Founder and CTO, puts it: "Physical security failures in healthcare aren't just about information loss, they create direct threats to patients and staff. When you think about the payment card industry, physical protection is about credit card data. In healthcare, physical security protects both electronic information and personnel safety."

What's Actually Changing in HIPAA

The 2025 proposed update introduces new expectations for physical safeguards:

• Annual physical security assessments
• Documented facility access control plans
• Tracking the movement of devices containing ePHI
• Expanded workstation definitions to include tablets and shared devices
• Up-to-date network diagrams reflecting physical layout and device connectivity

But is this enough to stop a real attacker? These requirements focus on documentation, not validation. The rule tells you to assess. It doesn't tell you how to test. And it doesn't ask what would happen if someone tried to break in and succeeded.

Read more: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information - A Proposed Rule by the Health and Human Services Department on 1/6/2025 (90 FR 898)

From Optional to Mandatory: The End of "Addressable" Physical Controls

Previously, many physical safeguards were "addressable," meaning organizations could choose alternative measures or document why controls weren't appropriate for their environment. The 2025 rule makes most physical safeguards mandatory, removing that flexibility.

Combined with annual compliance audits that must verify all safeguards are working effectively, organizations can no longer treat physical security as a paperwork exercise. The shift moves from "assess and document" to "implement and prove."

This change eliminates the common practice of writing policies without enforcing them. Now you must show your physical controls actually work, not just that they exist on paper.

Physical Security in Healthcare Protects Both Data and Lives

A stolen laptop or compromised medical record is serious. But the greater risk in healthcare is harm to people—and the theft of dangerous substances.

Healthcare facilities house controlled substances, prescription pads, and hazardous chemicals that attract criminals beyond typical data thieves. People seeking opioids, stimulants, or prescription blanks are among the most common physical threats medical facilities face. Unlike cybercriminals who work remotely, these attackers must physically breach the facility to reach their targets.

Real-world example: New York City hospitals had thousands of prescription pads stolen simply by slipping into unsecured offices or exam rooms. Those pads fueled opioid abuse and large-scale prescription fraud. (New York Times, Oct 2011)

The risks compound quickly:

• Stolen medications can kill when sold on the street or used improperly
• Prescription pads enable large-scale fraud and illegal distribution
• Hazardous chemicals can be weaponized or cause environmental damage
• Unsecured medical devices like insulin pumps or cardiac monitors can directly threaten patient safety

Healthcare facilities are open by design. Emergency rooms, waiting areas, nursing stations—each zone has a purpose, a population, and a risk profile. Security controls must protect both digital assets and physical ones that can cause immediate harm.

In another case, Lehigh Valley Health disclosed dozens of thefts where a pharmacy technician used another’s credentials to access, steal, and hide discrepancies in controlled drug inventories. The insider threat went undetected until it caused regulatory trouble and a $2.75 million settlement. (US DOJ, June 2023)

The Healthcare Difference: Squishy Perimeters vs. Hard Boundaries

Most secure environments have clear entry and exit points. Banks have controlled vestibules and armed guards. Data centers require pre-authorization and escorts. Corporate offices badge employees through turnstiles.

Healthcare is the opposite. Emergency departments can't screen everyone who walks through the door—people arrive in crisis, often unable to provide ID or follow standard procedures. Visitors move between floors to see patients. Contractors, delivery drivers, and temporary staff are constantly rotating in and out. Family members sleep in rooms overnight.

As Eric puts it, these environments have "squishy perimeters," boundaries that must remain porous by design. Unlike other industries where gaining initial access is the hardest part of an attack, healthcare environments are built to let people in quickly. That openness creates perfect cover for attackers who understand how to blend in.

Physical security in healthcare isn't just about protecting electronic information—it's about preventing theft that can directly endanger lives both inside and outside the facility. The challenge is creating barriers that stop threats without blocking legitimate access during emergencies.

Real-World Attacks Don't Look Like Frameworks

Here's what actually happens during Lares healthcare engagements:

Social Engineering and Impersonation
We pull a lab coat from an unlocked closet, grab a clipboard, and walk past the reception desk. No one questions us because we look the part. Healthcare's culture of helping and the constant flow of visitors, contractors, and temporary staff create a perfect cover for attackers who understand the environment.

Physical Access Control Bypasses
Motion sensors, card readers, and electronic locks all have physical vulnerabilities that can be exploited with simple tools and techniques. One memorable example: using party balloons and fish tank tubing to trigger motion sensors from outside a secured room. The method matters less than the principle—most electronic controls have physical weaknesses that low-tech approaches can exploit.

Key and Credential Harvesting
We find master keys in drawers, janitor carts, or hanging on hooks. No logging. No audit trail. Full building access. As Eric notes, "The beauty of having a physical key and not needing a badge overrides alerts and alarms. You look legitimate because you're walking around like a janitor with keys."

Physical credentials are often treated as less sensitive than digital ones, despite providing the same—or greater—level of access.

Tailgating and Social Pressure
We follow staff into badge-protected areas. Carrying a box, looking rushed, or appearing to belong creates enough social pressure that people hold doors open. Healthcare workers are trained to help, not to challenge, making this approach particularly effective.

Once inside any of these ways, attackers can:

• Plug into internal network ports
• Access cloud applications open to internal IPs
• Extract credentials from unlocked sessions
• Move laterally across the hybrid infrastructure
• Tamper with patient-facing devices
• Introduce ransomware directly onto critical systems

Case in point: Burglars target hospital pharmacies at night, sometimes using inside help to plan which products to steal and how to get around security. In one cited incident, an organized group relied on floor plans supplied by an employee, then walked out with their list of drugs. (PMC10231288, May 2023)

The techniques vary, but the pattern is consistent: healthcare's open, trust-based environment makes physical compromise both easy and devastating.

Learn more: Lares Physical Security Assessment Methodology

Layered Security Must Match the Risk

One-size-fits-all access control doesn't work in healthcare. A data center shouldn't be protected the same way as a triage room.

Lares can assist in assigning severity rankings and attractiveness scores to every area, ensuring controls match who and what is at risk, not just where the room is located.

Persistent Danger: Social Engineering

Healthcare organizations are built on trust and constant movement. That same openness creates blind spots.

Attackers know this. Staff are trained to help, not to doubt someone who appears to belong. Escort policies and badge checks often break down during busy shifts or in emergencies. Unfamiliar faces are easily overlooked if they seem credible or look to be in a hurry. Most breaches start with someone trusting the wrong person.

For example, a cybersecurity CEO once posed as a hospital visitor in Oklahoma and successfully gained access to staff areas. He installed malware on a staff computer by simply blending in and asking for access, claiming he had a family member in the hospital for surgery. His attack was only caught because observant staff noticed something out of place. There was no technical bypass—just social engineering, exploiting trust. (KOCO News, April 2025)

Healthcare is uniquely vulnerable because the mission to help often overrides people’s instinct to verify. Training and strong protocols reduce risk, but only if staff stay alert and empowered to challenge what feels wrong, even if it feels uncomfortable.

Post-COVID: Expanded Digital Risk, Unchanged Physical Weakness

Telemedicine, remote access, and cloud-first platforms changed how care is delivered. The attack surface grew digitally, but physical entry points remained the same—if anything, they were neglected due to focus on digital transformation.

As Eric explains: "There's definitely more electronic exposure in a post-COVID world—more services, more SaaS solutions, more remote interactions. But from a physical standpoint, the same threats apply. And often, all it takes is getting inside to access systems that weren't designed to be isolated."

Most cloud misconfigurations and access vulnerabilities still originate with someone gaining initial access from inside the perimeter. 

Learn more about Lares Cloud Security Services

Why Healthcare Makes Perfect Ransomware Targets

Healthcare environments are irresistible to ransomware groups. Hospitals operate on limited budgets and often rely on outdated hardware and software. They can’t afford to shut down even for an hour, and attackers know it.

When ransomware hits, the consequences go far beyond lost data. At Springhill Medical Center in Alabama, a ransomware attack crippled monitoring systems during a delivery. Devices were down. Staff were stretched thin. A newborn died after preventable complications, and her mother’s lawsuit claims the hospital never told her the true state of the systems.

Hospitals across the country have gone dark after ransomware attacks. Computers are locked. Ambulances are diverted. Doctors are forced to use pen and paper. At Hancock Regional Hospital, a ransomware attack encrypted every file, shut down clinical operations, and forced the CEO to pay $55,000 just to bring systems online again. They had no choice. After two days offline, hospital staff completed 10,000 forms by hand just to keep up. In the end, patient care was put at risk, and attackers walked away with easy money.

Why do ransomware criminals keep coming? Because the industry can’t pause for cleanup, can’t always restore from backups, and can’t risk losing critical patient data. Attackers set ransom demands at amounts hospitals are likely to pay. And so far, it works—sometimes with deadly consequences.

Healthcare’s open perimeters, dependency on tech, and inability to tolerate downtime mean ransomware attacks target hospitals more than almost any other sector. Physical and cyber vulnerabilities often coexist. When one fails, people pay the price.

Compliance Is the Floor, Not the Finish Line

The new HIPAA rules are a necessary step, but they're baseline requirements, not guarantees of security.

The Real Questions:

• Is checking the box enough?
• Is performing a physical assessment the start or the finish line?
• Are you viewing physical security through the lens of protecting only electronic data, or everything within your facility?

A dialysis center has different risks than an ER waiting room, which differs from a medical records processing facility. Each warrants different controls, but performing a physical assessment should be the minimum requirement.

Moving Beyond the Checklist

At Lares, we view HIPAA compliance as the foundation of a comprehensive security program, rather than a measure of its effectiveness.

Our recommendations:

• Test physical defenses using real-world adversarial techniques
• Build access policies based on operational risk, not convenience
• Monitor and audit badge and key access continuously
• Simulate social engineering attacks regularly
• Train staff to question unfamiliar behavior, not just follow procedures

Security cannot be assumed. It must be proven.

Final Word

Threat actors don't care about your documentation. They care about gaining entry, gaining access, and avoiding detection. If your physical security doesn't hold up to real-world testing, you're exposed—no matter what the compliance report says.

Healthcare doesn't get a second chance in the event of a breach. When your attacker wears a stolen badge or walks in behind a nurse, the threat has already bypassed every firewall you paid for.

HIPAA's new physical security requirements are a step forward. But they only matter if they lead to meaningful action beyond checking boxes.

Lares helps healthcare organizations move beyond the checklist. We break in so real attackers can't. We document what failed and help you fix it. And we do it with one goal: protecting what matters most.

Want to know how your facility would hold up against a real attacker?

Contact sales@lares.com or visit lares.com/contact

Sources:

• HHS HIPAA Security Rule NPRM
• HIPAA Security Rule Fact Sheet
• Federal Register - HIPAA Security Rule Updates