Healthcare organizations today face an unprecedented challenge. They must safeguard sensitive patient information and protect a fleet of connected medical devices, while also delivering quality care. While it is the age-old conflict between security and convenience, the price of getting that balance wrong in healthcare is higher.
The "secure-by-default" approach offers a critical shift in how healthcare providers approach their cybersecurity efforts. Rather than treating security as an afterthought or add-on feature, secure-by-default ensures systems are protected from the moment they're implemented, with minimal configuration changes required. Here, we examine what secure-by-default means for healthcare delivery providers and provide the essential components to consider.
Jeff Williams, co-founder and chief technology officer at Contrast Security, says secure-by-design/secure-by-default is especially important in healthcare. It starts with device and software makers and continues through deployment and management.
"For systems and software that handle protected health information, it means someone thought through the foreseeable threats, created strong controls for all those threats, tested them rigorously, and monitored those controls to be sure they are working," he explains.
"Electronic health record security requires absolute encryption implementation with precise access controls and proactive vulnerability elimination," adds Rafay Baloch, CEO and founder at REDSECLABS. "Connected devices require shipping with strengthened configurations, individual credentials, and tamper-resistant firmware to maintain their resistance against developing threats," he says.
Claroty's security research group, Team82, found that 63% of vulnerabilities in CISA's Known Exploited Vulnerabilities (KEVs) catalog exist on medical devices, while 23% hold at least one unpatched, high-risk flaw. The group also found that 14% ran an unsupported version of their operating system. Team82 found that 5,100 Digital Imaging and Communications in Medicine (DICOM) compliant servers were publicly accessible and exposed medical imaging data. Flawed medical devices range from patient infusion pumps and implantable heart devices to patient monitors and imaging systems.
"Expectations should include embedded security for the core system and software, not something you add later. The ability to limit access using authorization mechanisms and have secure logging, strong authentication, and easy configuration should be standard when reviewing for device purchases."
—Kurt Osburn
The device and software vulnerabilities exist largely because medical device manufacturers have historically prioritized functionality over security, which manifest in healthcare environments as devices and software with hard-coded passwords, administrative access, insecure communication protocols—such as unencrypted DICOM transmissions—and delayed patching due to lengthy certification processes, which leaves devices vulnerable for months post-vulnerability disclosure.
"Expectations should include embedded security for the core system and software, not something you add later," says Kurt Osburn, director of risk management and governance at cybersecurity services provider NCC Group. "The ability to limit access using authorization mechanisms and have secure logging, strong authentication, and easy configuration should be standard when reviewing for device purchases," he adds.
Many experts say regulatory gaps exacerbate these issues. Also, while the FDA mandates pre-market cybersecurity assessments, post-market monitoring remains inconsistent, allowing legacy devices to operate without updates.
Of course, the onus for the state of healthcare security isn't all on the device and software makers. Hospitals and other healthcare delivery providers often prioritize accessibility over network security. Team82 also found that 22% of facilities bridge guest and internal networks, exposing critical devices to untrusted users. Providers also often conduct inadequate cybersecurity hygiene and maintain incomplete asset inventories, which hinder vulnerability management, with 30% of hospitals lacking visibility into connected devices.
The historically lackadaisical approach toward security is shown in healthcare data breach statistics. The most recent statistics show that healthcare provider data breaches remain very high. In the first quarter of 2025, 160 breaches compromised the protected health information of 5,590,141 patients, with healthcare providers accounting for more than 75% of incidents and more than 4 million affected patients.
The secure-by-default shift must also extend to cloud systems. Today, cloud systems touch everything from patient records to diagnostic imaging and real-time care coordination. Designing cloud systems with "secure by design" principles is critical because security must be a foundational element within every architecture layer to minimize the attack surface from endpoint devices, across the network, and into the software systems where data is managed and stored.
"Whether cloud-based or local systems, the protections should be the same," says NCC Group's Osburn. "The cloud may change the location, but you should still be using logging, limited access, alerting, constant monitoring, encryption, and other security tools to protect the environment," he explains.
Healthcare delivery organizations increasingly rely on cloud and SaaS providers, and to keep their technology stacks secure, they must look beyond marketing claims of "secure by default" and carefully evaluate how these vendors embed security into their platforms from the ground up.
Critical criteria should include robust data privacy controls, granular access management, continuous behavioral monitoring, and evidence of a mature risk management program—alongside transparency in patching, incident response, and third-party audits. Ultimately, trust in a SaaS partner should be earned through demonstrable operational security, not assumed by default.
These principles must also include applications and cloud systems developed in-house. Because cloud environments are so dynamic, often involving multiple interconnected services, third-party integrations, and constantly changing workloads, without security by design, all of these moving parts will introduce misconfigurations, outdated components, and insecure interfaces that attackers quickly exploit. By integrating practices like least privilege, defense in depth, and continuous security testing, secure by design minimizes these risks and ensures that every component—whether a storage bucket or an AI-powered analytics tool—operates with security as a default state.
Ultimately, secure by design fosters resilience and reliability in healthcare cloud systems. It enables organizations to respond swiftly to new threats, recover more effectively from incidents, and maintain uninterrupted care delivery despite modern threat actors.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
