Healthcare cybersecurity discussions often center on electronic health records, ransomware, and clinical IT systems — and those concerns are well-founded. But the cybersecurity risk landscape in hospitals extends into the physical plant in ways that facility directors are increasingly responsible for understanding and managing.

Building management systems, access control platforms, RTLS infrastructure, nurse call systems, medical gas monitoring, and elevator controls are all networked computing systems. Many run on older operating systems, have default credentials, and were deployed without cybersecurity review by IT security teams. As these systems are connected to hospital networks for remote monitoring and management, they become part of the hospital’s attack surface.

Why Building Systems Are Cybersecurity Targets

Hospital building systems are attractive targets for several reasons:

Patient safety impact potential — A compromised BMS could theoretically alter HVAC setpoints in critical care areas, adjust pharmaceutical storage temperatures, or disable security cameras and door controls. While dramatically targeted attacks on building systems are uncommon, the potential severity makes them a meaningful risk.

Lateral movement pathway — A compromised BMS or access control system on the hospital network can serve as a beachhead for an attacker seeking to reach clinical IT systems or EHR servers. The ransomware attack against a hospital often begins with a vulnerability in a less-secured network segment.

Operational technology (OT) legacy — Building management systems often run on Windows XP, Windows 7, or proprietary operating systems that no longer receive security patches. These systems are difficult to update without disrupting 24/7 operations and may not be compatible with modern security agents.

Vendor remote access — Building system vendors commonly maintain standing VPN connections for remote monitoring and service. These connections, if compromised at the vendor end, provide direct access to hospital systems. Vendor remote access is a significant and underappreciated risk vector.

Operational Technology (OT) Security Framework

The ICS/OT security community has developed frameworks for securing industrial and building control systems. NIST’s Cybersecurity Framework (CSF) and IEC 62443 (Industrial Communication Networks — IT Security for Networks and Systems) are the most broadly applicable.

For healthcare facility directors, the key principles are:

Asset inventory — You cannot secure what you don’t know you have. Maintain a complete inventory of all networked building system devices: BMS controllers, access control panels, RTLS readers, nurse call servers, and monitoring systems. Include OS version, firmware version, and network connectivity.

Network segmentation — Building system devices should be on dedicated operational technology (OT) network segments, logically separated from clinical IT networks and the general corporate network. Firewall rules should restrict communication between OT segments and other network zones to the minimum required for legitimate operations.

Authentication — Default credentials on building system equipment (extremely common in legacy deployments) must be changed. All management interfaces must require authentication. Shared passwords for shared accounts must be eliminated and replaced with individual user credentials.

Vendor access management — Remote access for building system vendors should be time-limited (activated when needed, deactivated when work is complete), monitored, and require multi-factor authentication. Standing always-on VPN tunnels to vendors should be eliminated.

Patch management — Develop a patch management schedule for building system software and firmware. Some systems cannot be patched without vendor involvement or service disruption. For systems that cannot be patched, compensating controls (additional network monitoring, physical access restrictions, isolated network segments) are required.

Access Control System Cybersecurity

Access control platforms — managing who enters which doors with what credentials — are a particularly sensitive building system from a cybersecurity perspective. A compromised access control system could allow unauthorized physical access to clinical areas, pharmaceutical storage, or data centers.

Key access control cybersecurity requirements:

Encrypted credential communications — Legacy 125 kHz proximity card credentials transmit unencrypted, easily-cloned data. Modern smart card credentials (MIFARE DESFire, SEOS) use encrypted communications that resist cloning. Upgrading from 125 kHz to encrypted credentials is both a physical security and cybersecurity improvement.

Access control server hardening — The server or cloud platform managing the access control system should be hardened per IT security standards: current operating system patches, minimal services running, strong authentication for administrative access, and regular backup.

Database encryption — The access control database contains credential data for all users. This database should be encrypted at rest and in transit.

Event log integrity — Access control event logs may be used in investigations. Log integrity should be protected against modification through appropriate access controls and log forwarding to a centralized security information and event management (SIEM) system.

COVID-19 and Remote Access Expansion (2021)

The COVID-19 pandemic drove an expansion of remote access to building systems as facilities teams worked from home or managed multiple sites with reduced on-site staffing. Remote access to BMS, access control, and monitoring systems increased — and so did the attack surface.

Security gaps that emerged during pandemic-era remote access expansion included:

  • Rapid deployment of VPN access without full security review
  • Personal computers used to access OT systems (potential malware exposure)
  • Expanded vendor access granted to support remote management during staffing reductions

Facilities teams should review all remote access provisioned during 2020-2021 and confirm that appropriate security controls are in place, including multi-factor authentication and time-limited access windows.

Incident Response for Building Systems

Healthcare facility directors should ensure that their organization’s cybersecurity incident response plan specifically addresses building system compromise scenarios. Questions to address:

  • Who is notified if a BMS anomaly suggests potential compromise?
  • Can building systems be isolated from the network without disrupting critical operations?
  • What is the manual fallback procedure for critical building systems (HVAC control, door access) if electronic systems are taken offline?
  • Who has authority to take building systems offline during a security incident?

The answer to the last question is often unclear in hospital organizations — IT security teams may not have authority over facilities systems, and facilities teams may not have cybersecurity response experience. Clarifying roles and responsibilities before an incident is essential.

Frequently Asked Questions

Who is responsible for building system cybersecurity — IT or facilities? Both. The most effective model is shared responsibility with clear delineation: IT/cybersecurity owns network security architecture, authentication standards, patch management processes, and incident response. Facilities owns the physical systems, operational requirements, and vendor relationships. A joint working group with representatives from both teams is necessary to navigate the boundary between operational requirements and security standards.

Are building automation systems required to meet HIPAA security requirements? HIPAA Security Rule requirements apply to electronic protected health information (ePHI). Pure building automation systems (HVAC, lighting) that do not process or store patient data are not directly subject to HIPAA Security Rule requirements. However, access control systems that log patient or visitor access events, RTLS systems that track patient location, and nurse call systems may handle data that implicates HIPAA. Review with your privacy officer.

What should we do when a building system vendor says they can’t patch a known vulnerability because it would void the warranty? Document the vendor’s position in writing. Implement compensating controls: isolate the device on a restricted network segment, monitor traffic to and from the device, restrict all access to the minimum required, and review with your cybersecurity team. Begin evaluating the cost-benefit of replacing the equipment versus maintaining it under compensating controls. The risk of running known-vulnerable software indefinitely must be weighed against the cost of replacement.

How do we evaluate a new building system vendor’s cybersecurity posture? Include cybersecurity requirements in your procurement process: request a completed security questionnaire, require documentation of security testing, require contractual commitments to patch notification and patch support, and review their remote access architecture. Vendors who cannot answer basic security questions about their platform present cybersecurity risk that should factor into your vendor selection.