Healthcare organisations are particularly vulnerable to information security threats and breaches due to the highly confidential nature of their patients’ medical information. Now, with the emergence of the Internet of Things (IoT) in healthcare that can vary from diagnostic devices to medical wearables, the industry has indeed become more vulnerable to malicious exploitation. One of the reasons that malicious attacks continue to occur at an alarming rate is due to the poor compliance of information security policies. This study investigates the issues that are associated with the causes for poor compliance within the private healthcare organisations in Malaysia. Data was collected through interviews from various healthcare respondents and findings have revealed that often, poor security compliance is mainly caused by behaviour issues and the severe lack of security awareness which requires immediate attention and mitigation. Potential measures to cultivate information security awareness and to safeguard the IoT-based medical devices are proposed to achieve compliance.