Health

Who Owns the Risk? Solving the Biggest OT Security Gap

by Grace O’Connor β€” Health & Science Editor
written by Grace O’Connor β€” Health & Science Editor 0 comments

Beyond the Firewall: Why Risk Ownership is the Greatest Hurdle in Healthcare OT Security

The most dangerous vulnerability in modern hospitals may not be a piece of unpatched software, but a lack of organizational clarity. In a critical discussion on the evolving threat landscape, top cybersecurity leaders warned that the “ownership gap” is leaving healthcare systems exposed.

Jim Kuiphof, Deputy CISO at Corewell Health, Steven Ramirez, VP/CISO at Renown Health, and Skip Sorrels, Field CTO/CISO at Claroty, recently explored the complexities of healthcare OT security and the systemic failures in managing risk across diverse clinical environments.

The panel highlighted a sobering reality: while IT departments are often tasked with securing the network, they rarely “own” the operational technology (OT) that keeps the building running. This includes everything from HVAC systems and elevators to pneumatic tubes and medical gas delivery.

The Ownership Tug-of-War: IT vs. Biomed vs. Facilities

For too long, OT has existed in a departmental silo. Facilities teams manage the boilers; biomedical engineers manage the ventilators; IT manages the servers. When a security threat emerges, the question “Who is responsible for this?” often goes unanswered.

This fragmentation creates a dangerous vacuum. If a facility’s HVAC system is compromised, it isn’t just a maintenance issueβ€”it is a patient safety issue. Yet, the person with the power to reboot the system often lacks the security training, and the person with the security training lacks the authority to touch the hardware.

Is your organization currently treating OT as a “facilities problem” or a “security problem”? Who actually holds the keys to your most critical physical assets?

Pro Tip: Establish a cross-functional “OT Governance Committee” that includes leaders from IT, Facilities, and Biomed to codify risk ownership in a formal Responsibility Assignment Matrix (RACI).

Segmentation: The Art of Buying Time

Because many OT devices are legacy systems that cannot be patched without risking a total system crash, traditional security methods often fail. Instead, the panel emphasized segmentation as the primary defense.

Network segmentation does not necessarily stop an initial breach, but it prevents “lateral movement.” By isolating medical gas systems or elevators from the general guest Wi-Fi and administrative networks, hospitals can contain a threat and buy precious time for incident response.

This strategy shifts the goal from “perfect prevention” to “resilient containment,” ensuring that a compromised laptop in billing doesn’t lead to a shutdown of the surgical suite’s ventilation.

Exploitability Over Vulnerability Counts

One of the most provocative points raised during the discussion was the shift from counting vulnerabilities to measuring exploitability. Many CISO offices are overwhelmed by thousands of “critical” alerts from scanners that don’t understand the context of OT.

A vulnerability in a vacuum is just a statistic. However, an exploitable vulnerabilityβ€”one that has a known attack vector and is accessible from the networkβ€”is a genuine threat. The experts argue that prioritizing based on exploitability allows lean teams to focus on the 2% of risks that actually matter.

Furthermore, the panel warned about the “third-party backdoor.” Many OT systems are managed remotely by vendors. Without strict access controls, a vendor’s compromised credential can become an open door into the heart of the hospital’s infrastructure.

If you had to choose between fixing 100 low-risk bugs or one highly exploitable entry point, which would your current reporting system prioritize?

Deep Dive: Understanding the Convergence of IT and OT in Medicine

Operational Technology (OT) refers to the hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices. In a healthcare setting, this convergence of IT (Information Technology) and OT has accelerated rapidly with the rise of the “Internet of Medical Things” (IoMT).

Historically, OT systems were “air-gapped,” meaning they were physically separated from the internet. However, the demand for real-time data and remote monitoring has connected these systems to the enterprise network, exposing them to the same threats as emails and databases.

To build a sustainable security posture, health systems must look toward frameworks like the NIST Cybersecurity Framework, which emphasizes the “Identify, Protect, Detect, Respond, and Recover” lifecycle. By applying these principles specifically to OT, organizations can move beyond reactive patching to proactive risk management.

Moreover, the U.S. Department of Health and Human Services (HHS) continues to evolve guidelines to ensure that the digitization of health services does not come at the cost of patient safety. The intersection of cyber-defense and physical safety is where the future of healthcare administration will be decided.

For more insights into how leadership is navigating these waters, explore the interviews and webinars available at healthsystemcio.com.

Frequently Asked Questions About Healthcare OT Security

What is healthcare OT security?
Healthcare OT security is the practice of protecting the physical operational systemsβ€”such as HVAC, medical gas, and elevatorsβ€”that are connected to a health system’s digital network.
Why is risk ownership a problem in healthcare OT security?
Ownership is often split between IT, biomedical engineering, and facilities management, leading to confusion over who is responsible for monitoring and updating these systems.
How does segmentation improve healthcare OT security?
Segmentation isolates critical OT systems from the rest of the network, preventing attackers from moving laterally from a low-security area to a high-risk physical system.
What is the difference between vulnerability counts and exploitability in OT security?
Vulnerability counts quantify all known bugs, whereas exploitability identifies which of those bugs can actually be used by a hacker to breach the system.
Who should own the risk for healthcare OT security?
While IT provides the technical security tools, the operational risk should be owned by the departments that manage the assets, such as Facilities and Biomed, in a collaborative governance model.

Join the Conversation: How is your organization bridging the gap between IT and Facilities? Share your strategies in the comments below or share this article with your CISO to start the discussion.

Disclaimer: This article is for informational purposes only and does not constitute professional legal, medical, or cybersecurity advice. Organizations should consult with certified security professionals to implement OT safety protocols.

Discover more from Archyworldys

Subscribe to get the latest posts sent to your email.

Grace O’Connor ensures every medical claim is grounded in peer-reviewed research. Grace also chairs the site’s expertise review board for E-E-A-T compliance.

You may also like

Allergy Warning: Frank Deboosere’s Bad News for Sufferers

Gers Poultry Farming: Lockdown Lifted Across Most Areas

Nancy Cox, CDC Flu Research Pioneer, Dies at 77: Global Icon

Heart Attack Prevention: New Dramatic Guidelines to Follow

Plummeting Vaccine Rates Trigger National Campaign | 9News

SuperAgers: The Neuroscience Behind Age-Defying Memory