Comfort, not Chaos: How to Reduce the Cyber Risk of Healthcare Operational Technology (OT) Solutions

In a hospital at night, a patient wants to read a book, so she turns up the lights through her room’s dimmer switch. When she’s finished, she prepares for bed by turning off the lights, and closing the window blinds. Shortly after, she feels too warm, so she lowers the temperature on the thermostat.

What’s more, she’s able to do all of this from the comfort of her bed, by using a hospital-supplied remote-control device. Elsewhere, patients do the same using apps on their phones.

This illustrates how healthcare organizations are investing into what’s called Operational Technology (OT) – solutions which monitor or alter physical systems – to improve the patient experience and run their buildings. Whether the solutions control lighting, thermostats, security cameras, elevators, power management or additional systems via wired or wireless configurations, the healthcare industry is increasingly dependent upon them. And this dependence is helping drive worldwide demand for OT, which is expected to grow to a $40.42 billion market by 2022, up from $27.2 billion two years ago, according to a forecast from MarketsandMarkets.

However, as is the case with biomedical devices, security has emerged as a concern. Internet of Things (IoT) innovation supports a great deal of OT solutions, which, of course, creates issues: Nearly nine of ten healthcare organizations have experienced an IoT-related security breach, and one-half have encountered malware within IoT-connected systems, according to research from Hewlett Packard Enterprise’s Aruba Networks. The healthcare and life science sectors now account for 6 percent of all global OT incidents– up from zero percent three years ago, according to the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

In the modern era of cyber threats, hospital CIOs cannot prevent 100 percent of OT-linked attacks. But they can significantly reduce their risk exposure by taking the following steps:

Inventory every endpoint.

As indicated, certain OT products are wired in, and others are wireless. Either way, CIOs must gain total visibility of where they are, and what they do.

Beyond the pure volume of endpoints here, the various parties which implement OT solutions will introduce complications. CIOs don’t order lights and thermostats, after all. Building maintenance supervisors do. In addition, those supervisors may hire a third-party contractor to install, say, an OT-enabled speaker system without the CIO knowing about it. (Or knowing whether the contractors evaluate the security features of the products they offer.) Still, once these products connect to the IT network, their continued connectivity becomes IT’s responsibility. Thus, it’s essential for CIOs and their teams to conduct a complete inventory – and take at least partial ownership – of their organization’s OT “threatscape”.

Segment the environment.

The best way to keep OT-triggered threats from damaging or disrupting the network is to, well, remove them from the main network. That’s what segmentation does, by creating an entirely separated IT environment for OT products. With this, if bad guys exploit an OT vulnerability, they can only cause a limited amount of chaos, because OT is no longer part of the core network.

Even better, IT teams can more effectively monitor OT performance within a segmented environment, because everything is clustered within the same place. So when those in-room lights fail to dim, the teams will see this, and take corrective action to keep patients (and hospital supervisors) happy.

Set standards.

OT doesn’t work like other technologies and, subsequently, can’t be “fixed” like other technologies. (You can’t patch that thermostat, can you?) Given this, CIOs must get with building managers and anyone else who acquires these solutions to develop cybersecurity standards for OT vendors. If the vendors fail to comply with the standards, then they don’t get the hospital’s business.

Like any other developing technology, OT will usher in a new wave of risks. Therefore, as with all cyber systems, IT should apply optimal visibility, accountability, oversight and action from implementation to monitoring to – if needed – mitigation. That’s how to, ahem, “keep the lights on” and otherwise ensure a pleasant patient experience while still protecting the network.