The accelerating digitization of healthcare delivery has intensified long-standing cybersecurity vulnerabilities rooted in legacy medical devices, fragmented network architectures, and historically perimeter-centric security paradigms. Healthcare organizations increasingly rely on interconnected clinical workstations, electronic health records, artificial intelligence-driven diagnostics, and networked medical devices that were not designed for modern threat landscapes. This study develops a comprehensive, theoretically grounded analysis of zero-trust security adoption in healthcare, with a particular focus on the operational, governance, and socio-technical implications of upgrading hospital clinical workstations to Windows 11 environments. Anchored in recent empirical and conceptual scholarship, the article interrogates how zero-trust principles intersect with legacy systems, regulatory accountability, and emerging AI-enabled clinical workflows. Central to this inquiry is the evaluation of Windows 11 as a security modernization vector within hospital infrastructures, drawing on recent evaluative research that examines compatibility constraints, security controls, and workflow disruptions associated with contemporary operating system adoption in clinical contexts (Nayeem, 2026).

The study employs a qualitative, interpretive research design grounded in systematic literature synthesis, governance analysis, and conceptual modeling. Rather than treating zero trust as a purely technical framework, the article situates it within broader debates on organizational learning, institutional trust, ethical accountability, and cyber risk management in healthcare. The analysis demonstrates that while zero-trust architectures promise granular access control, continuous authentication, and reduced lateral movement, their effectiveness is fundamentally constrained by legacy medical devices that cannot natively support modern cryptographic standards or identity-centric security models (Gellert et al., 2023). The transition to Windows 11 clinical workstations is shown to function as both a catalyst and a stress test for zero-trust implementation, exposing tensions between security hardening and clinical usability, as well as between regulatory compliance and operational resilience (Nayeem, 2026).

Findings suggest that zero-trust adoption in healthcare must be understood as a socio-technical transformation rather than a discrete technological upgrade. The article argues that Windows 11 adoption, when aligned with zero-trust principles, can enhance baseline security postures through hardware-backed security, secure boot mechanisms, and identity integration, yet simultaneously exacerbates interoperability challenges with legacy devices and vendor-locked ecosystems (Eastwood, 2024). The discussion advances a multi-layered framework for healthcare cybersecurity governance that integrates zero trust, AI accountability, blockchain-based integrity mechanisms, and legacy system risk mitigation. By synthesizing diverse strands of cybersecurity, health informatics, and governance literature, this article contributes a theoretically expansive and policy-relevant perspective on the future of secure healthcare digital transformation.

Zero-trust architecture, healthcare cybersecurity, legacy medical devices

Kasralikar P, Polu OR, Chamarthi B, Veer Samara Sihman Bharattej Rupavath R, Patel S, Tumati R. Blockchain for securing AI-driven healthcare systems: a systematic review and future research perspectives. Cureus. 2025;17:e83136.

Nayeem M. Bridging zero-trust security and legacy medical devices: An evaluation of Windows 11 adoption in hospital clinical workstations. Frontiers in Emerging Artificial Intelligence and Machine Learning. 2026;3(1):1–8.

Burrell DN. Understanding healthcare cybersecurity risk management complexity. Land Forces Academy Review. 2024;29:38–49.

Gellert GA, et al. Zero trust and the future of cybersecurity in healthcare delivery organizations. Journal of Hospital Administration. 2023;12(1):1–8.

Northcutt S. Inside network perimeter security. 2nd ed. Sams; 2005.

Debnath S. Integrating information technology in healthcare: recent developments, challenges, and future prospects for urban and regional health. World Journal of Advanced Research and Reviews. 2023;19(1):455–463.

Kaspersky. Kaspersky finds 73% of healthcare providers use medical equipment with a legacy OS. 2024.

Tyler D, Viana T. Trust no one? A framework for assisting healthcare organisations in transitioning to a zero-trust network architecture. Applied Sciences. 2021;11(16):1–18.

Help Net Security. Rising cyber incidents challenge healthcare organizations. 2023.

Habli I, Lawton T, Porter Z. Artificial intelligence in health care: accountability and safety. Bulletin of the World Health Organization. 2020;98:251–256.

Khan MJ. Zero trust architecture: redefining network security paradigms in the digital age. World Journal of Advanced Research and Reviews. 2023;19(3):105–116.

He Y, et al. A survey on zero trust architecture: challenges and future trends. Wireless Communications and Mobile Computing. 2022;2022:1–13.

Eastwood B. Tips for health systems on managing legacy systems to strengthen security. HealthTech Magazine. 2024.

Ajish D. The significance of artificial intelligence in zero trust technologies: a comprehensive review. Journal of Electrical Systems and Information Technology. 2024;11:30.

Markus AF, Kors JA, Rijnbeek PR. The role of explainability in creating trustworthy artificial intelligence for health care: a comprehensive survey. Journal of Biomedical Informatics. 2021;113:103655.

Khan MM, Shah N, Shaikh N, Thabet A, Alrabayah T, Belkhair S. Towards secure and trusted AI in healthcare: a systematic review of emerging innovations and ethical challenges. International Journal of Medical Informatics. 2025;195:105780.

Ghasemshirazi S, Shirvani G, Alipour MA. Zero trust: applications, challenges, and opportunities. arXiv. 2023;1–23.

Ho G, et al. Hopper: modeling and detecting lateral movement (extended report). arXiv. 2021;1–20.

Mandiant. M-Trends 2022 special report: executive summary. 2022.

Shojaei P, Vlahu-Gjorgievska E, Chow YW. Security and privacy of technologies in health information systems: a systematic literature review. Computers. 2024;13(2):1–25.

Hong QN, Pluye P, Fàbregues S, et al. Mixed methods appraisal tool (MMAT), version 2018. BMJ. 2018;1–7.

Page MJ, McKenzie JE, Bossuyt PM, et al. The PRISMA 2020 statement: an updated guideline for reporting systematic reviews. BMJ. 2021;372:n71.

Vijayasekhar D. Securing the future: strategies for modernizing legacy systems and enhancing cybersecurity. Journal of Artificial Intelligence and Cloud Computing. 2022;1(3):1–3.

Ofili BT, Erhabor EO, Obasuyi OT. Enhancing federal cloud security with AI: zero trust, threat intelligence, and compliance. World Journal of Research and Review. 2025;25:2377–2400.

Department of Health. Investigation: WannaCry cyber-attack on the NHS. UK National Audit Office. 2018.

International Conference on Communication Technologies (ComTech 2017). Institute of Electrical and Electronics Engineers; 2017.