Converged Security: Bringing IT and Physical Security Together in Healthcare

In 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released its Cybersecurity and Physical Security Convergence Action Guide, highlighting the importance of moving beyond traditionally siloed security models. The guide outlines the risks associated with separating physical and cybersecurity functions and presents a practical framework for aligning these disciplines with broader organizational priorities and business objectives. It also emphasizes the value of convergence through real-world examples and adaptable implementation strategies.

This message is particularly relevant in healthcare, where security risks no longer fall neatly into “physical” or “cyber” categories. A single vulnerability—whether a misplaced badge, a connected medical device, or an unsecured workstation—can rapidly evolve into a significant operational disruption or patient safety issue.

Converged security addresses this reality by integrating physical security and cybersecurity into a unified, coordinated strategy—enhancing protection, improving incident response, and strengthening overall organizational resilience

Why Convergence Matters

When teams operate in silos, gaps emerge that can increase risks and delay responses. Consequently, convergence delivers:

• Stronger protection: Physical controls reinforce cybersecurity safeguards

• Faster response: Shared visibility accelerates detection and containment

• Better risk management: Unified insight across facilities, people, and systems

Real-World Example

It is not uncommon for organizations to encounter risk when employee termination processes are managed in silos. One large U.S. health system experienced a data breach after a terminated employee’s physical access was not promptly revoked. The individual was able to re-enter a restricted area using an active badge, access an unattended and logged-in workstation, and ultimately expose sensitive patient information.

In response, the organization implemented a more integrated, converged approach by aligning HR, identity management, and physical access control systems. This included automating the real-time deactivation of both physical and digital access and establishing joint monitoring between IT and physical security teams.

As a result, the organization significantly reduced insider risk, improved response times, and strengthened compliance and audit controls, demonstrating the value of a coordinated, enterprise-wide approach to access management and security.

How Physical and Cyber Teams Support Each Other in Incident Response

Converged security is most impactful during incidents. When teams collaborate, response becomes faster, more accurate, and more effective.

1.   Shared Detection and Context

A converged approach enhances shared detection and situational awareness by integrating insights from both physical and cybersecurity domains.

Physical security contributes video surveillance, badge access data, and on-the-ground observations, while cybersecurity teams provide network activity, authentication attempts, and system-generated alerts.

When these data sources are combined, organizations gain a more complete and contextualized view of potential threats. For example, a suspicious login alert can be quickly validated against corresponding badge activity or video footage to determine whether the access was legitimate.

This coordinated visibility enables teams to rapidly assess threats, reduce false positives, and make more informed response decisions, strengthening overall security effectiveness.

2.   Rapid Investigation

A converged approach significantly strengthens rapid investigation capabilities by combining digital and physical intelligence to validate and contextualize suspicious activity.

Cybersecurity teams may detect anomalous account behavior, such as unusual login patterns or access attempts. Physical security teams can then complement this analysis by confirming who entered the facility and tracking their movement within the environment through badge access data and video surveillance.

For example, if an account is used to access systems from a sensitive location such as a server room, physical security can verify whether the individual was physically present at that time.

This integrated approach enables teams to quickly distinguish between legitimate activity and potential compromise, accelerating investigation timelines and improving the accuracy of response decisions.

3.   Real-Time Containment

A converged approach to incident containment ensures that cybersecurity and physical security teams act in parallel to rapidly limit risk and prevent further escalation.

From a cybersecurity perspective, response actions may include disabling user accounts, isolating affected systems, and blocking unauthorized access. At the same time, physical security can reinforce containment by escorting individuals, securing sensitive areas, and revoking physical access credentials such as badges.

This coordinated approach is particularly effective in scenarios involving employee separations, insider threats, or suspicious activity, where risks exist across both digital and physical domains. By working together, these teams can simultaneously restrict movement within systems and facilities, effectively preventing further spread or impact of the incident.

4.   Incident Coordination

Joint incident response playbooks establish a structured and coordinated approach by defining clear escalation pathways, well-defined roles and responsibilities across teams, and aligned communication with leadership and clinical operations.

For example, when a ransomware alert triggers IT containment measures, physical security can act in parallel to restrict access to affected systems and secure impacted areas, ensuring a comprehensive and synchronized response.

5.   Post-Incident Analysis

Post-incident activities should be as integrated as the incident response itself. Just as organizations should avoid managing incidents in silos, after-action reviews and improvement planning must be conducted collaboratively. Bringing together all involved functions ensures a comprehensive evaluation of what worked well, where gaps existed, and how future responses can be strengthened.

A converged approach to post-incident analysis enables a more complete understanding of events. For example, physical security teams contribute critical data such as video footage and access control logs, while cybersecurity teams provide system logs, alerts, and network activity. When combined, these insights create a holistic view of the incident.

This integrated perspective enhances root cause analysis, strengthens corrective actions, and drives more effective control improvements, ultimately improving organizational resilience.

Getting Started

Organizations looking to adopt a converged security model should begin by fostering a culture of collaboration and inclusivity across physical security, cybersecurity, and related functions. CISA emphasizes that successful convergence is not one-size-fits-all; rather, organizations should tailor their approach based on their structure, priorities, and current capabilities.

A practical starting point is to assess the current security posture to identify gaps, vulnerabilities, and opportunities for alignment. For organizations not yet ready to fully converge, conducting an internal or third-party security assessment can help define a clear, risk-informed path forward.

Ultimately, convergence should be approached as a flexible, strategic process—one that aligns security functions with broader business objectives while progressively enhancing coordination, visibility, and resilience.

Final Thought

In today’s healthcare environment, no incident is purely physical or purely cyber.

Organizations that successfully integrate these functions—particularly within incident response—are better positioned to protect patients, safeguard staff, and sustain critical operations during times of disruption.

Equally important is the inclusion of Emergency Management within this converged model. Leveraging structured frameworks such as the Hospital Incident Command System (HICS), along with expertise in incident coordination and crisis communication, enhances the effectiveness and consistency of response efforts across both physical and cyber domains.

By incorporating emergency management into a converged security approach:

• Incident response becomes more structured, scalable, and disciplined

• Roles, responsibilities, and decision-making authority are clearly defined during complex events

• Communication across clinical, operational, and executive leadership is streamlined and aligned

• Recovery efforts are accelerated through coordinated planning and execution

Bringing together physical security, cybersecurity, and emergency management establishes a truly unified incident management capability—one that strengthens resilience and supports a more prepared and responsive healthcare organization.

Author: Ed Wurster, III, Manager, Business Continuity and Cyber Resilience