Protecting Operational Technology in Healthcare to Safeguard Patients’ Care

Patrick Scholl
Director OT Center of Excellence, Infinigate Germany

The traditional IT requirements for availability, security and interoperability are particularly important to ensure OT integrity in healthcare:  any impairment or failure of these systems can endanger patients’ lives and paralyse hospitals.

Medical care depends heavily on devices and systems functioning reliably around the clock. Robust architectures and sophisticated emergency plans are therefore essential to ensure the continuous availability of OT systems in hospital environments, helping to prevent malfunction and ensuring they remain operational in the event of an emergency. At the same time, interoperability between different systems is becoming increasingly important.

Regulatory requirements driving holistic security

As part of critical infrastructure, hospitals are subject to stringent legal and normative requirements that are constantly evolving and becoming increasingly complex. These requirements affect not only traditional IT, but also, and in particular, operational technology (OT), i.e. all medical devices, control and automation systems that are directly relevant to patient care and hospital operations.

As an example, the Hospital Future Act (KHZG), which came into force in September 2020, enables public hospitals in Germany to apply for government funding for projects boosting digital health, cybersecurity, and IT infrastructure, and receive a share of €4.3 billion for digital health innovation.

The KHZG requires institutions to provide evidence of comprehensive IT and OT security measures and the interoperability of their systems. Only when these requirements are met can hospitals receive funding for the digitalisation and modernisation of their infrastructure. This means that security is no longer optional, but a mandatory prerequisite for the development and financing of the healthcare system.

The European Union’s NIS2 Directive also tightens the cybersecurity requirements significantly: hospitals are called out as “essential facilities” and must establish comprehensive asset management, perform regular risk analysis and implement risk mitigation measures. In addition, the NIS2 Directive requires clearly defined incident response processes, end-to-end security in the supply chain and compliance with strict reporting requirements for security incidents. These requirements aim to strengthen the resilience of the entire healthcare system against cyber threats and increase transparency in dealing with risks.

The Cyber Resilience Act (CRA) applies to manufacturers of networked medical technology systems and devices, requiring they ensure a high level of security throughout the entire life cycle of their products. From design and development to implementation and ongoing operation, protective measures must be documented and in place at all times. This extends responsibility for cybersecurity across the entire value chain and focuses on enabling traceability and transparency.

International standards such as IEC 62443 supplement the regulatory framework with a structured framework for OT security. They require comprehensive risk analysis, physical and virtual security measures, and the establishment of a continuous operating process tailored to the specific requirements of industrial and medical control systems.

For hospitals, adherence to these standards is not only a matter of compliance, but also a decisive factor for long-term operational safety. In addition, industry-specific regulations such as B3S Hospital (KRITIS), ISO 80001 and the Medical Devices Act (MPG/MDR) apply, specifically regulating the safe operation, maintenance and update processes for medical devices. These requirements address the specific challenges of everyday hospital life, where medical devices often remain in use for many years and yet must meet evolving safety requirements.

The challenge for hospitals now is to integrate all these requirements into ongoing operations and apply them to medical OT devices throughout their extended lifespan without compromising patient safety or operational capability.

Cybersecurity through segmentation and monitoring

To make matters worse, hospitals are increasingly becoming the target of cyber-attacks, especially ransomware, which is particularly worrying on account of outdated or inadequately protected OT systems. One of the most effective protective measures is to consistently segment the network, creating a clear separation between IT and OT. For example, medical technology and administrative networks can be isolated from each other, preventing potential attacks from spreading unhindered throughout the entire network. This segmentation is supported by the targeted use of firewalls, intrusion detection and prevention systems, and modern zero-trust architectures that strictly control and continuously monitor access.

Additionally, it is essential to continuously monitor all networked devices and systems to detect unusual activities or anomalies early on and be able to respond rapidly to breaches. The physical protection of particularly sensitive medical equipment, such as MRI machines and laboratory technology, complements digital security measures and prevents direct manipulation of hardware. This combination of technical segmentation, monitoring and physical protection plays a key role in minimising the attack surface and significantly increasing the resilience of hospital infrastructure against current cyber threats.

Life cycle management and legacy systems

OT systems in hospitals often have a service lifespan stretching to up to twenty years, which poses particular challenges for IT security. Many of the associated legacy operating systems can no longer be patched and lack modern protection mechanisms such as up-to-date encryption or authentication procedures. Updating or retrofitting is often not possible due to certification requirements or technical limitations. To ensure an adequate level of security, hospitals often rely on methods such as virtual patching, in which vulnerabilities are addressed by protective measures in the network without changing the actual device. In addition, network segmentation and controlled access policies are used to minimise the risk of unauthorised access. Holistic lifecycle management is crucial here; it includes ongoing inventory, monitoring and individual protection of OT systems to ensure the security and availability of critical infrastructure even over long periods of use.

Access management as the core of operational security

Effective access and authorisation controls are the backbone of IT and OT security in hospitals. Access rights are usually assigned according to the principle of least privilege to ensure that each person or system can only access the information and functions necessary for the task at hand. The role-based access control (RBAC) model is often used for this purpose. In this approach, authorisation is not assigned individually, but on the basis of predefined roles, which simplifies administration and reduces the risk of misconfigurations.

Attribute-based access control (ABAC) can also be used. In addition to the role, other factors such as the time of access, location of the user or specific characteristics of the device used can be taken into account. This allows for a more granular screening and assessment of risks and requirements.

Strong authentication is essential for particularly sensitive or critical systems. Methods such as multi-factor authentication (MFA) or the use of smart cards ensure that only authorised and clearly identified persons can access these systems. These measures contribute significantly to minimising the risk of unauthorised access and ensuring the integrity and confidentiality of sensitive medical data and processes.

SIEM and SOC as the backbone of security architecture

Continuous monitoring of hospital infrastructure is an essential part of a robust security policy. Modern Security Information and Event Management (SIEM) systems continuously collect and analyse log data from all OT and IT systems. Through the intelligent correlation of this data, potential security risks and incidents are detected early on and can be evaluated in a targeted manner. This approach can be complemented by a Security Operations Centre (SOC), which monitors the entire infrastructure around the clock. The SOC employs specially trained experts who analyse suspicious events, assess threats and initiate coordinated countermeasures in the event of an emergency. As a result, attacks are not only detected quickly but are also dealt with more effectively. To remain operational in the event of a security incident, detailed emergency plans and recovery strategies are essential. They ensure that hospital operations can be resumed as quickly and safely as possible after an attack.