Operational Technology (OT) Security Risks, Best Practices in Healthcare

June 16, 2022 - Information technology (IT) and operational technology (OT) security require varying approaches, but both are crucial to maintaining a safe and secure healthcare environment. IT and OT are fundamentally different—while IT security measures focus on safeguarding electronic data, OT security centers on device availability and reliability.

But as digital transformation efforts and the internet of things (IoT) take hold in healthcare, many organizations have converged IT and OT efforts to some degree in order to streamline workflows and make connections between digital and physical environments.

This convergence can reduce inefficiencies and help organizations cut costs, but it also poses additional security risks worth considering.

“As threat actors are increasingly thwarted by sophisticated IT cyber defenses, it stands to reason that they will turn their attention more to exploiting OT system vulnerabilities,” Mirel Sehic, global cybersecurity director at Honeywell Building Technologies, told HealthITSecurity.

“This threat landscape will continue to evolve as OT systems are part of an increasingly connected environment.”

In the following sections, HealthITSecurity will explore the ways in which OT and IT security methods differ, the benefits and downfalls of OT/IT convergence, and best practices for maintaining OT security in healthcare.

Key Differences Between OT and IT Security, How They Converge

“Today, conversations about cybersecurity still focus primarily on information technology systems, i.e., safeguarding data, proprietary and commercial off-the-shelf [COTS] software, and personally identifiable information [PII],” Sehic said.

“Operational technology systems in healthcare facilities—which control, monitor and protect processes, equipment, and operational environments—are often overlooked, but they are just as critical to data security, reputation, and even employee safety.”

Safeguarding protected health information (PHI) and other personal data is crucial to maintaining healthcare cybersecurity, especially as cyberattacks continue to increase in severity and scope. But from a hospital’s parking lot gates to devices within the facility, OT systems are also everywhere and must be similarly prioritized.

The National Institute of Standards and Technology (NIST) defines operational technology as “programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment).”

“These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events.”

Examples of OT include industrial control systems (ICS), physical access control mechanisms, and building management systems. Industrial control systems are a major segment of OT. ICS includes supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control systems that the US relies upon to support critical infrastructure.

NIST defines information technology as “any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.”

OT security protects the reliability of operations in the physical world, while IT security protects data at rest or in transit, SANS Institute guidance explained. But as the cyber and physical worlds continue to merge, it is no longer useful to view OT and IT as entirely independent from one another; in fact, doing so may create gaps in an organization’s security architecture.

IT and OT Must Work Together While Acknowledging Cyber Risk

Organizations are increasingly leveraging cyber-physical systems that incorporate IT elements into OT devices and infrastructure. This integration can further capabilities and enhance processes across the organization.

But as a result of this interconnectedness, threat actors targeting critical infrastructure may use IT cyberattack tactics to gain access to OT systems.

“As hospitals and medical centers become more digital, senior security leadership, alongside facility managers, are increasingly embracing connected environments, but with this comes increased exposure of OT systems to cybersecurity threats,” Sehic emphasized.

“Imagine, for example, a ransomware attack on a hospital’s OT system. Staff could be locked out of critical operating facilities or prevented from accessing patient files, admitting new patients or even using diagnostic devices such as MRI or CT scanners, quite literally endangering lives.”

Historically, IT and OT security were considered separate for a few main reasons, a white paper by the International Society of Automation (ISA) explained. First, IT environments had long been the main target for cyber threat actors, especially when OT systems were not commonly connected to the internet. Additionally, OT environments used to be isolated from networks, and IT was more focused on protecting the confidentiality of data rather than the availability of physical systems.

But the digital nature of the world today means that IT must now consider a bigger scope of impact from cyberattacks, including physical systems. In addition, OT teams must learn how to protect digital data as more OT systems come online, ISA reasoned. Collaboration between the two disciplines can fill knowledge gaps and streamline workflows.

However, organizations must also recognize that new security risks are likely to emerge as they bring OT systems into the IT realm. In its ICS best practices document, the Cybersecurity and Infrastructure Security Agency (CISA) warned of this very risk.

“ICS owners and operators face threats from a variety of adversaries whose intentions include gathering intelligence and disrupting National Critical Functions,” CISA noted.

“As ICS owners and operators adopt new technologies to improve operational efficiencies, they should be aware of the additional cybersecurity risk of connecting operational technology (OT) to enterprise information technology (IT) systems and Internet of Things (IoT) devices.”

CISA noted that merging ICS and OT efforts with IT may expand the ICS cyberattack surface and eliminate network segmentation, which could result in expanded access to critical systems.

OT and IT still require different and careful approaches, but the interconnectedness of healthcare environments at the very least require regular communication and collaboration between OT and IT teams.

Best Practices for OT Security

“As buildings and their systems become more connected to the cloud, via Internet of Things, responsible stakeholders should take the steps necessary to understand their cybersecurity risks and accountability to mitigate them,” Sehic advised.

“In hospitals and medical centers, when lives are literally on the line, the stakes are even higher than in other critical infrastructure environments. With increasing cybersecurity risks, tougher regulations, and complex interconnected systems, these organizations need a simple, centralized way to administer enterprise cybersecurity that encompasses both OT and IT systems.”

Healthcare organizations should incorporate OT security strategies that reflect the current state of their environments.

“At a tactical level, this means correcting common vulnerabilities, such as outdated or unpatched software or communication protocols that lack stringent security measures. As threat actors continue to gain critical mass and learn to exploit new vulnerabilities, medical centers in particular need products and protocols that can quickly identify exposure and prevent or mitigate breaches,” Sehic continued.

CISA recommends that organizations establish risk management and cybersecurity governance and ensure that only authorized personnel have access to OT systems. In addition, organizations should utilize network segmentation when possible and train IT and OT operators to recognize the signs of network compromise.

Patching and vulnerability management, asset inventories, and a culture of security within an organization’s workforce are all crucial to maintaining enterprise-wide security.