Hospitals and other medical facilities get lumped into OT and cyber/physical because they have software and firmware that is monitoring and controling physical equipment and processes. It’s not wrong, but I don’t think it’s helpful.

The high level, high quality OT security guidance is similar for a power plant and a water treatment plant and a manufacturing plant and a refinery. The same is true for a pipeline, distribution system, and water canal. Sure there are important differences in sectors and individual sites, and you always want to work with the engineers who built and understand the environment.

Hospitals have little in common with OT in electric, water, manufacturing, petrochem, … except that they are cyber/physical.

  • Hospitals have a lot more users interacting with the cyber/physical devices
  • Hospital cyber/physical devices are often stand alone, not part of a bigger system
  • Hospitals have a flow of untrusted people (patients) in physical proximity to the cyber/physical systems

These are only three. I’m sure those who focus on the medical space would have another seven to form a top ten list. I wonder if hospital systems have more in common with brick and mortar retail than with OT.

And now hospitals are the cyber/physical sector suffering the most from ransomware, as measured by public impact.

The hospital sector likely has a common first action in addressing OT related cyber risk in 2024 … have a plan to minimize consequence if you are compromised by ransomware. After that, I’m not sure there is a lot of overlap with traditional OT security approaches and thinking.

Subscribe to my free ICS Security: Friday News & Notes