Key Takeaways
- U.S. and international agencies have released guidance on secure connectivity for operational technology (OT) environments.
- OT environments in healthcare include tools that manage energy control, HVAC, life-safety systems, door access controls, physical security systems, and alarms.
- Organizations face challenges prioritizing cybersecurity for OT due to constraints such as dependence on legacy technologies.
- Eight principles have been outlined as a framework to design, secure, and manage OT environment connectivity.
- Collaboration between OT owners, vendors, and cybersecurity teams is critical, and hospitals should assess the impact of OT system loss on clinical continuity and care delivery.
Introduction to Operational Technology Environments
Operational technology (OT) environments play a crucial role in various industries, including healthcare. These environments consist of systems and devices that manage and control physical processes, such as energy control, heating, ventilation, and air conditioning (HVAC), life-safety systems, door access controls, physical security systems, and alarms. In healthcare, OT environments are essential for maintaining a safe and healthy environment for patients, visitors, and staff. However, these systems are often vulnerable to cyber threats, which can have severe consequences, including disruption of critical services and compromise of patient care.
Challenges in Prioritizing Cybersecurity for OT
Organizations face significant challenges in prioritizing cybersecurity for OT environments. One of the primary constraints is the dependence on legacy technologies that are ill-equipped for modern connectivity or security requirements. These legacy systems may not have been designed with security in mind, and upgrading or replacing them can be costly and complex. Additionally, OT systems often require continuous operation, making it difficult to take them offline for maintenance or updates. As a result, organizations may struggle to allocate resources and prioritize cybersecurity for OT, leaving these systems vulnerable to cyber threats.
Guidance on Secure Connectivity for OT Environments
To address these challenges, U.S. and international agencies have released guidance on secure connectivity for OT environments. The guidance outlines eight principles to be used as a framework to design, secure, and manage OT environment connectivity. These principles provide a comprehensive approach to securing OT systems, from initial design to ongoing management. By following these principles, organizations can reduce the risk of cyber threats and ensure the reliability and integrity of their OT environments.
Importance of Collaboration and Assessment
According to Scott Gee, AHA deputy national advisor for cybersecurity and risk, collaboration between OT owners, vendors, and cybersecurity teams is critical for ensuring the security of OT environments. This collaboration should begin at the OT acquisition phase, where organizations can assess the security requirements and potential risks associated with the system. Hospitals should also assess the impact of OT system loss on clinical continuity and care delivery. For connected life-critical and mission-critical OT systems, it is strongly recommended that they have manual override features and the ability to operate independently, off-network. This ensures that critical systems can continue to function even in the event of a cyber attack or system failure.
Conclusion and Recommendations
In conclusion, securing OT environments is a critical task that requires careful consideration and planning. Organizations must prioritize cybersecurity for OT and address the challenges associated with legacy technologies and continuous operation. By following the guidance and principles outlined by U.S. and international agencies, organizations can reduce the risk of cyber threats and ensure the reliability and integrity of their OT environments. Hospitals and healthcare organizations should collaborate with OT owners, vendors, and cybersecurity teams to assess the security requirements and potential risks associated with OT systems. Additionally, they should assess the impact of OT system loss on clinical continuity and care delivery and ensure that critical systems have manual override features and can operate independently, off-network. For more information on cybersecurity and risk issues, organizations can contact Scott Gee at [email protected] or visit aha.org/cybersecurity for the latest resources and threat intelligence.
