All industries must recognize the importance of cybersecurity to operational technology, as it’s the hardware and software that monitors, controls, and alters physical systems. As information and operational technologies continue to converge, however, security risks increase. While the manufacturing, infrastructure, utilities, energy, and transportation industries can vigorously address security risks through securing industrial networks, the healthcare industry has some additional, specific concerns.
Things like thermostats, lighting, elevators, and HVAC systems are getting “smarter” by the day. Even medical devices like pacemakers and insulin pumps can be vulnerable to hacking. Healthcare organizations that employ smart technology to run buildings efficiently or manage biomedical devices must address cybersecurity risks that could compromise operations, threaten privacy, and endanger patients.
Information security breaches that compromise patient privacy have been a serious concern, and healthcare organizations must do all they can to address this issue. However, it isn’t just stored patient information that’s at risk: medical devices have become more “networked”, and thus, vulnerable to attack. The FDA recognized the problem, and in 2016, they issued FDA 2015-D-5105-0001; it’s a non-binding recommendation for postmarket management of cybersecurity in medical devices.
As healthcare organizations employ more smart technology to manage physical devices, the CIO’s role must expand to include an understanding of threats against operations. Beyond computer hardware, cybersecurity concerns now extend to areas of physical plant management that may previously have been invisible. Security for new building systems and infrastructure is as important as it is in medical information management.
Policies and Standards
Policies and standards that work to select information systems and managing medical records might not make sense for dealing with threats to operational technology. A healthcare facility can’t simply shut off the lights overnight to apply an update or a patch. Facilities must put plans in place to address a threat to, or a breach of, physical systems. They can achieve this by segmenting systems appropriately to minimize the scope of threats and examining whether devices or systems need to interact with the Internet to perform optimally. Also, make compliance with cybersecurity standards and a protocol for applying patches and updates—without compromising vital systems that must run continuously—a factor when considering vendors.
Addressing risks to operational technology requires a continuously changing skillset. Healthcare organizations need to plan to acquire the talent necessary to bring cybersecurity into the operational sphere. Fortunately, universities and government agencies now recommend that graduate engineering students must take cybersecurity courses to graduate. The operational technology security field will continue to grow, and healthcare organizations must get in front of the trend and work to attract developing talent in the field.
All organizations with complex operational systems and networked devices must contemplate and address cybersecurity risks as the Internet’s role in business operations expands.