In our previous post, we looked at how financial services organizations navigate the Exception Economy: mature compliance processes running alongside persistent operational gaps. Healthcare tells a different version of the same story, and in some ways one that’s more frightening.
Healthcare carries some of the strictest data protection obligations in any sector. HIPAA, OCR enforcement, and a rapidly evolving regulatory environment around AI and medical devices mean that most organizations in this space have built serious compliance infrastructure. Replica Cyber’s research found that 77.4% of healthcare respondents use formal, documented security exceptions with time limits and compensating controls. That’s well above the cross-industry average of 63%.
And yet, when no approved environment exists for high-risk work, healthcare teams reach for unofficial solutions more than any other vertical we surveyed. The compliance process and the workarounds exist side by side, because they’re solving two different problems.
When there’s no approved path, healthcare improvises more than anyone
Among healthcare respondents, 54.8% said their teams use unofficial or ad hoc environments when no approved option exists. This is the highest rate of any vertical in the survey, and more than 11 points above the overall average. In a sector where HIPAA governs how protected health information is handled, ad hoc devices and shadow cloud accounts are not compliant infrastructure.
The environment problem is worse here than anywhere else
Inadequate environments always or often block high-risk digital work for 87.1% of healthcare respondents—the highest of any vertical and well above the 69% overall figure. Budget is “always a blocker” for 51.6%, compared to 36% overall. Teams know what the right answer looks like. They still can’t get the infrastructure they need to do the work safely.
Strategic work is paying the price
Forty-eight percent of healthcare respondents delayed market expansion in the past year because the work couldn’t be conducted securely, above the 39% overall average. Forty-two percent delayed M&A transactions, above the 32% overall. In a sector consolidating at pace, security infrastructure gaps are adding friction to deal timelines without anyone formally accounting for the cost.
The compliance process isn’t the problem… or the solution
What the research shows is that formal exception processes manage the work that goes through the process. Organizations don’t create the environments that would make the exception unnecessary. Every workaround is evidence of a gap the process hasn’t closed. In a sector with this level of regulatory exposure, that gap carries a specific kind of cost.
See how healthcare compares across exceptions, delays, and infrastructure confidence in the full Exception Economy report.
