In an era where healthcare systems are prime targets for cyberattacks, experts are broadening their focus to encompass not just IT systems, but also operational technology (OT) security. Christopher Lau, Director of Cyber Security, Proactive Security, and IoT Risk at Advocate Health, shared his expertise in a recent interview, emphasizing the unique and critical challenges posed by OT in healthcare. His insights reveal the often-overlooked vulnerabilities in medical and industrial control systems, offering a new perspective for healthcare IT professionals striving to fortify their organizations against evolving threats.
A Unique Focus on OT Security in Healthcare
With healthcare’s heavy reliance on operational technology—from HVAC systems to medical devices—the need for robust OT security has become increasingly urgent. Lau underscored that Advocate Health, as one of the country’s largest health systems, faces an unprecedented cybersecurity challenge following its recent merger with Atrium Health, now encompassing over 50 hospitals and 150,000 employees. “There is a lot of opportunity for growth and to serve the communities and patients in our areas,” Lau explained, “but also a lot of opportunity for attackers, unfortunately.”
Historically, healthcare cybersecurity efforts have focused primarily on IT. However, with OT systems that control physical elements like building automation and medical devices now vulnerable, attackers have an additional avenue to disrupt healthcare operations. “If an IT system goes down, it’s kind of an inconvenience,” Lau observed. “With OT, you’ll really notice it.” In healthcare, where environmental controls are essential to patient care, the impact of OT breaches could shutter the facility.
Understanding the Critical Risks of OT in Healthcare
Operational technology differs fundamentally from traditional IT, operating in the physical world rather than the digital one. Lau highlighted that OT systems in healthcare facilities require nearly constant availability to maintain safe, regulated environments. This difference also extends to the types of threats they face. “If attackers can shut down critical OT systems, like HVAC or elevators, it could force a hospital to evacuate,” Lau warned, painting a vivid picture of the risks posed by OT-focused ransomware attacks.
He drew attention to the risks associated with aging OT infrastructure, much of which lacks modern cybersecurity defenses. “A lot of industrial control systems from the Clinton administration are not going to have the same security features that current systems have,” he noted, emphasizing the need to address outdated technology that is still crucial to healthcare operations.
The Overlooked Threat of Unsegmented Networks
Many healthcare systems lack dedicated OT security teams, meaning that OT is often managed by traditional IT teams ill-prepared to handle its unique demands. This lack of specialization can lead to network segmentation issues, as IT and OT networks may share resources without proper isolation, which increases vulnerabilities. According to Lau, “Usually, you don’t see dedicated incident response or network monitoring for OT. They try, more often than not, to jam it into the IT funnel, and it just doesn’t work.”
To address these risks, Lau recommended separating OT networks from IT networks wherever possible, creating dedicated incident response and disaster recovery plans for OT, and providing targeted security training for teams managing OT systems.
Building an Effective OT Security Team
Establishing a specialized OT security team is essential, but the unique expertise required makes hiring a challenge. In response, Lau adopted a creative approach at Advocate Health. “If you’re trying to find just people with an engineering background or an ICS background, that is a chocolate-covered unicorn with sprinkles,” he joked, highlighting the scarcity and high cost of such talent. Instead, Lau assembled a diverse team from various professional backgrounds, including networking, finance, and clinical operations, then training them through specialized programs like those offered by SANS Institute.
Lau’s approach reflects a broader trend in cybersecurity: the importance of cross-functional skill sets and adaptive learning in tackling complex, evolving security threats. His team exemplifies the value of professionals who may lack deep technical backgrounds but possess critical thinking skills and a commitment to learning the intricacies of OT.
Moving Beyond Prevention to Resilience
In the face of escalating cyber threats, Lau believes that healthcare cybersecurity strategies must shift from prevention to resilience. Traditional IT vulnerability management focuses on immediate risks like zero-day vulnerabilities, but Lau argued that OT demands a different approach. “In OT, it’s more about resiliency and making sure we have the defenses and we’re focused on what we need to focus on,” he said. This proactive mindset involves securing older technology, understanding the attack landscape, and prioritizing resilience over reactive measures.
As part of this shift, Lau recommended a phased approach to OT security, beginning with an inventory of critical systems. This inventory provides visibility into essential assets, allowing IT leaders to prioritize updates and implement segmentation and security measures for the highest-risk equipment. “Start with an inventory,” Lau advised. “What do you have? Where is it? Who’s managing it? And how do people get in?”
Lessons for Healthcare IT Professionals
Lau’s approach to OT security offers valuable insights for healthcare IT professionals. He highlighted that even as health systems become more sophisticated in managing IT security, OT often remains a “dusty room that you’d better go check out.”
While many healthcare teams focus on medical devices, Lau believes the bigger threat lies in industrial control systems, where vulnerabilities may go unnoticed until they result in a major disruption.
For healthcare IT professionals, the message is clear: OT security should be an integral part of any cybersecurity strategy. A robust OT security program not only safeguards critical infrastructure but also ensures patient safety and operational continuity. By understanding and mitigating the unique risks associated with OT, healthcare IT leaders can protect their organizations from potentially catastrophic cyber incidents.
Watch the full interview here or listen on your favorite podcasting channel
Podcast: Play in new window | Download (Duration: 34:09 — 23.5MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Share Your Thoughts
You must be logged in to post a comment.