The contractors’ role in security and cybersecurity

Contractors play an important role in ensuring health care facilities are physically secure and virtually prepared to prevent cybersecurity threats. In general, contractors reported in the American Society for Health Care Engineering/Health Facilities Management magazine 2026 Hospital Construction Survey that they are getting more involvement from security and information technology (IT) personnel during their planning, design and construction (PDC) projects.

Click chart to expand and view data on the contractors’ role in security and cybersecurity planning

But some challenges persist, including contractors needing to be brought into discussions about implementing cybersecurity precautions in their projects much earlier, says Pete Maslenikov, a health care construction project executive at Skanska USA Building Inc. “IT and their cybersecurity policies and needs, that’s oftentimes behind the door for us, and we don’t get a chance to be involved in those discussions,” he says. “What that means is that we have to engage our clients’ IT professionals much earlier to make sure their needs are getting met.”

For example, discussions on server rooms and their space and power needs both now and in the future need to be held in the master planning phase and design development stage, not later.

Contractors’ main design priorities during construction projects align with the general survey respondents, with preventing infant abduction (82%), preventing attacks or physical assaults on staff (77%) and ensuring cybersecurity (72%) ranking high.

Related Article

2026 Hospital Construction Survey Results

Budget constraints (48%) and the difficulty of balancing cybersecurity needs with clinical workflow/patient experience (50%) were cited as the top design integration challenges contractors found when working with health care organizations.

“Cybersecurity is complicated. It requires a lot of complex management, implementation, technical skills, staffing and resources,” says Ted Hood, managing principal and Nashville, Tenn., operations manager at TLC Engineering Solutions. “It’s very costly, and it does take a lot of dedicated focus from the team. A lot of facilities are still in the process of trying to upgrade their networks to meet the minimum standards to protect themselves.”

Because security managers know they won’t always get what they request in construction projects due to budget restraints, Michael Lauer, MBA, vice president of emergency preparedness, environmental health and safety, and public safety at BJC Health System in Missouri and chair of the International Association for Healthcare Security and Safety’s Guidelines Council, says it is important to lean on annual security risk assessments to understand what the top security risks and vulnerabilities are in their health care facilities — a list that often changes from year to year. Those priorities should be communicated to contractors as well as internal staff as appropriate.

Subcontractors also must be brought into the loop on security expectations during PDC projects — something general contractors need to take accountability for, Hood says.

“I think general contractors need to really evaluate how they are looking at cybersecurity, the impact to their subcontractors and the requirements that they put on them and make it clear that is their expectation instead of an afterthought,” Hood says. “Frankly, most contractors are struggling right now in getting their subs to take serious the risk they’re bringing to job sites.”

Article by Chris Dimick, content development and communications manager at the American Society for Health Care Engineering and production editor at Health Facilities Management (HFM) magazine, and data by Jamie Morgan, senior editor of HFM.