Operational technology (OT) is the hardware and software systems that monitor, control and manage operations. OT systems when combined with information technology (IT) are part of a comprehensive model for the protection of an organization's infrastructure. In healthcare, this allows for the security of areas that need additional care like communications and handling of protected health information (PHI).
What is operational technology?
In healthcare organizations, OT assists in the management of systems necessary for patient care. These systems include diagnostic equipment, therapeutic devices, and facility systems. When integrated with IT systems, healthcare organizations have a pathway to link the physical and digital components of healthcare infrastructure.
According to the NIST Special Publication SP 800-82r3, “As OT systems adopt IT solutions to enable corporate business systems connectivity and remote access capabilities... they have begun to resemble IT systems. This integration... provides significantly less isolation for OT from the outside world than predecessor systems, creating a greater need to secure OT systems.”
Most organizations do not integrate healthcare equipment with cybersecurity measures when implementing integration with IT. Many legacy systems are built for reliability and not security, leaving many OT systems vulnerable to cyberattacks.
The combination of OT and IT
IT systems are commonly responsible for managing data, communication, and administrative functions. The integration of IT and OT systems is marked by an exposure of OT devices to vulnerabilities. In order to navigate this, healthcare organizations are required to approach integration with layered security protocols like firewalls and demilitarized zones to isolate sensitive OT devices from broader IT networks.
These protocols are part of a larger strategy based on the HIPAA Security Rule. Through a cybersecurity approach, the inherent vulnerabilities of OT and IT systems are considered. Combining IT’s data security expertise with OT operational safeguards that take a more physical form, cybersecurity risks are minimized.
How to make sure OT systems remain secure
- Segment networks with multiple layers of security to limit access to systems.
- Disable unused ports and services on OT devices to reduce attack surfaces.
- Deploy monitoring to OT environments to detect any potential anomalies or potential intrusions.
- When communicating information related to OT systems, use HIPAA compliant email systems to avoid unauthorized access.
Related: Data loss prevention techniques for healthcare organizations
FAQs
What is HIPAA?
The Health Insurance Portability and Accountability Act is a law that protects the health information of individuals.
What is PHI?
Protected health information is any personal health information that identifies an individual. It includes medical records, health insurance details, or billing information.
What are the methods of securing EHRs approved by HIPAA?
Specific security measures used to protect electronic health records (EHRs)
- Access controls
- Encryption
- Automatic log off
- Risk assessments performed regularly
Kirsten Peremore
