Healthcare cybersecurity has historically focused on information technology (IT) systems—electronic health records, patient portals, medical imaging systems, and administrative networks. But operational technology (OT) systems—building automation, HVAC controls, access control, medical devices, elevators, and the growing ecosystem of IoT sensors throughout healthcare campuses—represent an expanding attack surface that has received insufficient security attention.

This gap is closing rapidly, driven by high-profile attacks on healthcare OT systems, regulatory attention from HHS and CISA, and the growing recognition that compromised building and medical device systems can directly affect patient safety. Healthcare facility directors increasingly find themselves at the intersection of physical infrastructure management and cybersecurity responsibility.

The OT Security Landscape in Healthcare

Healthcare OT systems that present cybersecurity risk include:

Building Automation Systems HVAC controls, lighting management, and building management systems are increasingly networked and remotely accessible. BAS vulnerabilities have been exploited in high-profile attacks—the 2013 Target data breach used compromised HVAC monitoring as an entry point into the corporate network. Healthcare facilities with BAS systems connected to internet-accessible interfaces or sharing network infrastructure with clinical IT are exposed to similar attack vectors.

Access Control and Physical Security Systems Electronic access control systems are network-connected and often internet-accessible for remote management. Compromised access control could allow attackers to change door access permissions, unlock secured areas, or disable security systems. At healthcare facilities where access control protects medication storage, infant security systems, and patient care areas, the physical safety implications of access control compromise are immediate.

Medical Devices Connected medical devices—infusion pumps, patient monitors, imaging systems, ventilators—present a separate but related OT security challenge. FDA cybersecurity requirements for medical devices have been significantly strengthened since 2023, but large installed bases of legacy devices with inadequate security controls remain in operation throughout healthcare.

IoT Building Sensors The proliferation of IoT sensors for temperature monitoring, occupancy detection, environmental sensing, and equipment monitoring has dramatically expanded the network-connected device count on healthcare campuses without proportional expansion of security management. Many IoT devices have default credentials, limited ability to receive security patches, and minimal security capabilities.

Parking and Campus Security Infrastructure PARCS systems, LPR cameras, security cameras, and parking guidance systems are network-connected and present attack surface. Compromised parking system credentials could allow manipulation of access permissions, revenue data, or camera feeds.

Key Vulnerabilities in Healthcare OT

Several vulnerability categories consistently appear across healthcare OT security assessments:

Default Credentials A significant percentage of healthcare OT devices retain factory default usernames and passwords. Attackers with network access can compromise these devices with publicly available default credential lists without any sophisticated technical capability.

Outdated Software and Firmware OT devices—particularly older BAS controllers, access control panels, and legacy medical devices—often run software that hasn’t received security patches in years or decades. Vendors may not provide security patches for older products, and healthcare facilities may not have processes for applying available patches to OT systems.

Inadequate Network Segmentation Many healthcare facilities have OT systems connected to the same network segments as clinical IT—either through intentional integration decisions or legacy network architecture. This connectivity means that a compromised OT device can potentially serve as a pivot point for attacks on clinical systems (EHRs, imaging, pharmacy systems) and vice versa.

Remote Access Vulnerabilities BAS systems, access control platforms, and other OT systems are often configured with remote access for vendor maintenance. If this remote access is not properly secured—using dedicated connections, strong authentication, and activity monitoring—it provides attackers with a direct path into OT systems without requiring internal network access.

Cybersecurity Framework for Healthcare OT

Healthcare organizations are increasingly applying established cybersecurity frameworks to OT systems. The NIST Cybersecurity Framework (CSF) and the ICS-CERT guidance adapted for healthcare provide structured approaches to OT security management.

Identify Asset inventory: Know what OT devices are on the network, what they are, who manages them, and what their security posture is. Many healthcare organizations discover significant numbers of unknown or unmanaged OT devices when they conduct their first formal OT inventory.

Network architecture documentation: Map how OT systems are connected to each other and to clinical IT networks. This mapping reveals unintended connectivity that creates attack paths.

Protect Network segmentation: OT networks should be segmented from clinical IT and administrative IT through firewalls, VLANs, or dedicated physical network infrastructure. OT devices that don’t need to communicate with each other should be further microsegmented within the OT network.

Credential management: Default credentials on all OT devices should be changed before deployment. Strong, unique credentials should be managed through a privileged access management system.

Patch management: While OT patch management is more complex than IT patch management (devices may not support patch updates, or patches may require vendor validation and maintenance window scheduling), OT patches should be applied as part of a systematic program.

Detect OT network monitoring: Passive monitoring of OT network traffic can identify anomalous communication patterns—unusual traffic volumes, communication with unexpected destinations, protocol anomalies—that indicate compromise or reconnaissance activity. Healthcare OT security platforms (Claroty, Dragos, Nozomi Networks) specialize in this monitoring without requiring security agents installed on OT devices.

Respond Incident response planning: Healthcare facilities should have specific incident response procedures for OT security events that address the operational and patient safety implications of OT system compromise. These procedures should be integrated with the facility’s broader information security incident response plan.

Regulatory Expectations for Healthcare OT Security

Healthcare regulatory expectations for OT cybersecurity are evolving rapidly:

HHS 405(d) Program The HHS 405(d) program (Health Industry Cybersecurity Practices) provides guidance for healthcare OT security, identifying OT-specific cybersecurity practices that the program recommends healthcare organizations implement. While not directly enforceable, 405(d) guidance represents HHS’s view of reasonable cybersecurity practices.

CISA Healthcare Sector Guidance CISA (Cybersecurity and Infrastructure Security Agency) has published healthcare sector-specific guidance addressing OT security, critical infrastructure protection, and incident reporting requirements for healthcare organizations experiencing cyber incidents.

FDA Medical Device Cybersecurity The FDA’s 2023 medical device cybersecurity requirements apply to manufacturers of networked medical devices—but healthcare organizations that deploy these devices must incorporate them into their OT security programs, ensure vendor cybersecurity disclosures are reviewed, and include medical devices in their asset inventory and vulnerability management programs.

Practical Starting Points for Facility Directors

Healthcare facility directors who are beginning to address OT cybersecurity should prioritize:

  1. OT asset inventory — knowing what’s on the network is prerequisite to securing it
  2. Default credential remediation — change default passwords on all accessible OT devices
  3. Vendor remote access review — audit who has remote access to OT systems and ensure all access is secured with strong authentication
  4. IT collaboration — engage the healthcare organization’s IT security team to include OT systems in the enterprise security program

Frequently Asked Questions

Who should be responsible for OT cybersecurity in a healthcare organization—IT or facilities? The most effective model in healthcare is joint responsibility with defined roles: IT security provides the cybersecurity expertise and enterprise security program governance; facilities provides OT knowledge and operational accountability for building system security. Joint responsibility requires active collaboration rather than each side assuming the other is handling OT security.

Can standard IT security tools be used for OT security monitoring? Traditional IT security tools that require software agents installed on devices cannot be deployed on most OT systems—the devices don’t support agent installation, or agents would disrupt device operation. OT-specific network monitoring tools use passive traffic analysis techniques that provide visibility without requiring agents. These purpose-built OT security platforms are necessary for effective healthcare OT monitoring.

What’s the HIPAA intersection with OT cybersecurity? HIPAA Security Rule requirements apply to electronic protected health information (ePHI). OT systems that contain or transmit ePHI—such as electronic medication dispensing systems that record patient medication administration, or nurse call systems that log patient call events associated with patient identifiers—are subject to HIPAA Security Rule requirements. Building automation systems that don’t touch patient data generally are not HIPAA-regulated, though they may still require cybersecurity attention as network infrastructure adjacent to HIPAA-regulated systems.

How often should healthcare facilities conduct OT security assessments? Annual OT security assessments are a best practice minimum, with assessments triggered by significant changes: new OT system deployments, significant network architecture changes, mergers and acquisitions that bring new OT infrastructure into the organization, and after any OT-related security incidents. Organizations in sectors identified as high-risk by threat intelligence should assess more frequently.