Operational technology (OT) is the hardware and software systems that monitor, control and manage operations. OT systems when combined with information technology (IT) are part of a comprehensive model for the protection of an organization's infrastructure. In healthcare, this allows for the security of areas that need additional care like communications and handling of protected health information (PHI).
In healthcare organizations, OT assists in the management of systems necessary for patient care. These systems include diagnostic equipment, therapeutic devices, and facility systems. When integrated with IT systems, healthcare organizations have a pathway to link the physical and digital components of healthcare infrastructure.
According to the NIST Special Publication SP 800-82r3, “As OT systems adopt IT solutions to enable corporate business systems connectivity and remote access capabilities... they have begun to resemble IT systems. This integration... provides significantly less isolation for OT from the outside world than predecessor systems, creating a greater need to secure OT systems.”
Most organizations do not integrate healthcare equipment with cybersecurity measures when implementing integration with IT. Many legacy systems are built for reliability and not security, leaving many OT systems vulnerable to cyberattacks.
IT systems are commonly responsible for managing data, communication, and administrative functions. The integration of IT and OT systems is marked by an exposure of OT devices to vulnerabilities. In order to navigate this, healthcare organizations are required to approach integration with layered security protocols like firewalls and demilitarized zones to isolate sensitive OT devices from broader IT networks.
These protocols are part of a larger strategy based on the HIPAA Security Rule. Through a cybersecurity approach, the inherent vulnerabilities of OT and IT systems are considered. Combining IT’s data security expertise with OT operational safeguards that take a more physical form, cybersecurity risks are minimized.
Related: Data loss prevention techniques for healthcare organizations
The Health Insurance Portability and Accountability Act is a law that protects the health information of individuals.
Protected health information is any personal health information that identifies an individual. It includes medical records, health insurance details, or billing information.
Specific security measures used to protect electronic health records (EHRs)