HIMSS26: 3 signals changing the healthcare data landscape

HIMSS26 drew over 25,000 healthcare leaders to the Venetian Convention and Expo Center in Las Vegas last month. Nearly a quarter were C-suite. The exhibit hall was packed, the sessions were standing room only, and for the first time in several years, the conference felt less like a trade show and more like a strategy session for an industry under real pressure.

I spent three days focused on sessions and conversations around the following hot topics: Data security, data governance and AI adoption. Those three topics dominated the conference agenda and they are converging in ways that should reshape how every enterprise data platform thinks about its roadmap.

Here is what I took away.

HIMSS26 was about operational AI deployment. HIMSS CEO Hal Wolf set the tone in his opening briefing:

“Four years ago, we started talking about AI, and we didn’t have anyone doing it, except experimenting with it. Two years ago, we were talking about the fact that only less than 5% of the institutions in the world were actually deploying AI at any level. A year-and-a-half ago, you saw a lot of AI being built into EHR platforms. So we're just at the front-end of utilizing these tools where they can be most effective within that operational scope.”

Snowflake and Hakkoda released research at HIMSS confirming 77% of healthcare organizations have already invested or plan to invest in generative or agentic AI. The experimentation phase is over.

The place where AI is delivering the fastest returns is not clinical diagnostics. It is back-office operations. The Snowflake/Hakkoda survey found 60% of organizations are targeting administrative workflow automation, 50% are focused on clinical documentation and 47% are automating billing and prior authorization. FinThrive launched agentic AI that autonomously executes revenue-cycle workflows across 50+ use cases, with early adopters recovering nearly $1 million in underpayments within three months. Epic reported 85% of its customer base is using its AI suite. MEDITECH debuted autonomous claim denial agents. These EHR vendors are embedding AI directly into workflows and producing measurable financial outcomes.

But HIMSS also made the constraint visible. The same Snowflake/Hakkoda research found that 85% of healthcare leaders say interoperability is a higher priority today than it was two years ago. Harvard's Isaac Kohane put it directly during a HIMSS panel:

“AI adoption outside of revenue cycle management and ambient documentation has been slow.”

Health and Human Services (HHS) Assistant Secretary Thomas Keane reinforced this at the conference, framing "data liquidity," the ability of health information to flow seamlessly and securely between systems, providers and patients, as a federal priority because treating patients without a complete picture of their health leads to medication errors, care gaps and adverse events. The data that healthcare organizations need to make AI work is fragmented, siloed and in many cases too sensitive to move.

That is the core tension HIMSS26 surfaced. The demand for AI is accelerating. The data infrastructure to support it is not keeping pace.

The cybersecurity tracks at HIMSS26 signaled a fundamental shift in the industry: Data protection is no longer just a governance challenge, but a direct security imperative for patient safety. Across 49 sessions, the dialogue moved beyond traditional defense to a more integrated view of resilience. This year, the conference’s two dominant themes—AI governance and cybersecurity—effectively merged into a single conversation, reflecting a reality where technical uptime is synonymous with clinical reliability.

This convergence is most visible in how the community now treats AI governance as a rigorous security discipline rather than a passive compliance exercise. This clinical-first security approach was highlighted by Vanderbilt’s Dr. Peter Embi, who introduced "algorithmovigilance"—the continuous monitoring and validation of clinical AI to ensure it remains fit for purpose. To support this at the infrastructure level, organizations like Northwestern Medicine are securing AI workloads through EHR microsegmentation and zero trust architectures, while new tools like Singulr AI’s Agent Pulse provide the runtime governance necessary for autonomous agents.

However, as internal AI safeguards mature, the external threat landscape is becoming more sophisticated and predatory. Attackers are increasingly pivoting toward healthcare vendors rather than hospitals, exploiting the third-party landscape as a primary entry point. Russell Teague of Fortified Health Security noted that this remains the fastest-growing attack surface in the industry, punctuated by the Change Healthcare breach that impacted 190 million Americans. This evolution creates a high-stakes AI-versus-AI arms race: While health systems deploy AI to streamline operations, attackers are using the same technology to scan for legacy vulnerabilities and unsupported systems within clinical networks.

Federal regulators are now moving to formalize this link between system resilience and patient safety. The proposed 2026 HIPAA Security Rule updates, expected from HHS by mid-year, will eliminate addressable flexibility in favor of mandatory, non-negotiable controls. These include universal multi-factor authentication for ePHI, mandatory encryption, network segmentation and 72-hour recovery capabilities. Ultimately, any data platform handling PHI or PII must be built with this regulatory trajectory in mind, treating security not as a feature, but as a foundational requirement for modern care delivery.

The HIMSS conversations around algorithmovigilance, zero trust for AI workloads and runtime governance for autonomous agents all describe the same architectural requirement: Every data touchpoint in the AI pipeline needs to be protected and auditable. But the question is, where in the pipeline does that protection need to happen?

Capital One Software's Databolt, our enterprise data security solution, is positioned to address this problem. Databolt is a high-performance vaultless tokenization engine that protects sensitive data, including PII and PHI, while preserving its utility for analytics and AI. A study completed by Capital One Software and PwC validated that models trained on Databolt-tokenized structured data achieve 99.7% accuracy compared to raw data. This means organizations can use their most sensitive datasets for AI training and inference without exposing the underlying data to the model and external vendors, limiting breach risk.

The HIMSS conversations around AI governance and security make the case for this approach more compelling than it was even six months ago. When Vanderbilt researchers talk about algorithmovigilance and Northwestern presents on zero trust for AI workloads inside Epic, they are describing an environment where every data touchpoint in the AI pipeline needs to be protected and auditable. Tokenization at the data layer, before it reaches the AI system, is one of the cleanest architectural patterns for achieving this.

The interoperability bottleneck surfaced at HIMSS runs deeper than just providing AI systems access to internal data. The more systemic challenge lies in moving data securely between organizations. Whether collaborating on population health analytics, value-based care measurement or clinical research, healthcare entities are facing a push for data liquidity that the current infrastructure struggles to support. HHS highlighted this as a clinical priority, noting that fragmented data leads directly to medication errors and care gaps, while recent Snowflake/Hakkoda research confirms that operational efficiency—not just compliance—is now the primary driver for data sharing.

Despite this willingness to collaborate, the mechanism for doing so remains a significant barrier. Historically, joint analytics on overlapping patient populations has required third-party intermediaries. These legacy models often demand annual subscriptions exceeding $300,000 and require organizations to move their data into a proprietary ecosystem, paying significant fees for linkage and de-identification. While feasible for large health systems with deep pockets, this toll-road approach is often impractical for the mid-market providers, regional health plans and public health agencies that comprise the majority of the industry.

The industry is now pivoting toward a more decentralized model—one that prioritizes data sovereignty and reduces the friction of external movement. Databolt Connect was designed specifically to meet this shift by enabling secure collaboration natively within an organization's existing environment. Rather than exporting data to a third party, it de-identifies first-party data directly inside Databricks and utilizes secure cleanrooms for linkage.

This architecture ensures that sensitive PII and PHI are never exposed during the enrichment process, allowing organizations to perform joint analytics without relinquishing control or paying a recurring premium for data access. By removing the traditional trade-offs between cost, complexity and privacy risk, this model aligns with where the market is headed: A future where the ability to link and enrich data is a standard capability of the platform, not a gated service.

HIMSS26 confirmed that the era of treating data security as an insurance policy against breaches is ending. The organizations that will lead in healthcare AI are the ones that treat data security as an enablement layer, a capability that unlocks use cases rather than one that restricts them.

The HIPAA Security Rule updates expected later this year will accelerate this shift. Organizations that have already built security into their data architecture will be positioned to move faster on AI. Organizations that treated it as an afterthought will spend the next 18 months catching up.

At Capital One Software, Databolt and Databolt Connect are built to sit at the intersection of these trends. Protect data at the source. Preserve its utility for AI and analytics. Make secure collaboration across organizations as simple as it should be. HIMSS26 validated that the market is ready for this approach. The focus now must shift to execution.