A hospital’s operational technology is linked to its clinical environment and must be safeguarded.

Image by Getty Images

A safer, more efficient and compliant environment for health care facilities can be provided by using data analytics with inputs from field sensors and outputs to field controllers. However, as devices that make up a facility’s operational technology (OT) become more network connected, cyber risk expands. 

In the past, building OT systems were separated. Today, OT system data is leveraged to create smart buildings. As OT systems become more internet protocol (IP)-enabled, the cyberattack surface and associated risk increases for both OT and information technology (IT) systems. 

Thus, systems-based thinking and planning of network-based building systems is paramount. Cyber-risk can be mitigated through awareness, education and holistic processes that integrate the design and construction activities with ongoing building OT and IT operations. 

This approach is outlined in the American Society for Health Care Engineering’s new monograph, “Best Practices Framework for Health Care Cyber-Physical Protection: For the Construction Project Team,” from which this article is excerpted.

Least expensive, most effective

Cyber-risk mitigation is least expensive and most effective when implemented at the initial planning stage of a project by providing a baseline for the owner, designer, contractors and equipment manufacturers.

The planning and implementation of a cyber-risk mitigation strategy prior to project design has both up-front and life-cycle benefits for the building. Smart buildings require OT systems to share data, and the cyber protection of the network connecting these systems is a relatively new discussion. 

Operational technology systems for health care considered in the monograph include the following: 

  • Electrical building systems, including the normal power electrical main and distribution equipment, emergency power generator systems and distribution equipment, fire alarm and mass notification, site and building lighting and shade control, uninterruptable power supplies, energy management systems and electric vehicle charging stations. 
  • Mechanical building systems, including building management systems (BMSs), chilled water systems, air-handling systems, boiler control, fire protection, fuel storage or pumping stations, medical gas, carbon dioxide monitoring and water management systems.
  • Low-voltage building systems, including physical security, freezer and refrigerator temperature monitors, interactive communications systems, nurse call, real-time locating systems and radio frequency identification asset tracking, patient entertainment and audiovisual systems.
  • Architectural systems, including vertical transportation and pneumatic tube systems.

The integration of data between systems typically starts with an integration visioning session with the owner, which identifies the technology infrastructure required and leverages data available to meet patient and staff needs. Use cases then identify the data sharing requirements between OT and IT systems to accomplish each integration vision. 

The use cases are the base for designing the network data-sharing requirements to be coordinated among the electrical, mechanical and low-voltage engineers, and facilities, clinical and IT teams. This framework is an important first step that guides interactions between the design team and owner during project delivery and provides a long-term map for building cybersecurity, sustainability and resiliency as well as deployment of new technology and software updates.

Best practices framework 

The framework presents steps to be followed from the initial project planning stage through the owner takeover stage. The measures outlined here are discussed in depth in the monograph.

Establish project team member roles and responsibilities. To streamline the multi-organization world of health care design, bid and construction, the roles of all project players must be broken down to accomplish a best practices framework for cyber-physical protections. These include the following:

  • Executive leadership and C-suite. An executive directive will drive education, resources and buy-in from all team members, streamlining the process. 
  • Owner project manager (PM). The PM’s responsibility is to be aware that the owner has an OT cybersecurity guidance document that is updated for the specific project, and to include necessary elements in the design schedule. The PM also validates all OT firmware and software patches are updated through the warranty period.
  • Facility director. The facility director communicates use cases to the design engineer, which increases both operational and energy efficiency, and confirms long-term operational success of use cases is designed per facility maintenance processes. Considering the differences between IT and OT, working closely with IT to validate the process for patching and upgrading OT systems is in line with ongoing building operations. 
  • IT. This group provides cyber leadership of the built environment for the project team. It uses the existing hospital cybersecurity risk management framework (RMF) to manage the risks of OT systems. The IT integrator coordinates integrations between the construction project team and IT. This role also supports the cross-functional IT/OT discipline of the OT cyber subject matter expert (SME). 
  • OT cyber SME. The OT cyber SME bridges the construction project team and IT to provide a cyberprotected smart building. Their goal is to address the specific needs of OT systems for both the construction and operations of the facility. The OT cyber SME coordinates OT software and equipment submittals with the IT software and hardware review committee. They lead the coordinated OT project cyber-risk assessment and provide findings and recommendations to IT, to be incorporated into the RMF and OT cybersecurity guidance document. 

They generate the health care organization OT cybersecurity guidance document and modify appendices specifically for the project. Facilities leadership and the design engineer understand OT building code compliance and can provide input for network decisions. The ability to apply cyber principles that are aligned with the health care organization is a prerequisite of the OT cyber SME. 

  • Architectural PM. The architectural PM’s responsibility is to be aware that the owner has an OT cybersecurity guidance document that is updated for the specific project, and to include necessary elements in the design schedule.
  • Architectural engineer. Clearly communicating use-case scope in the plans and specifications is critical for an accurate bid, construction and commissioning process. The engineer will need to note if a specific method of integration is required for certain use cases and be aware of resilient solutions provided by manufacturers. 

The engineer is best equipped to provide education to the team regarding the authority having jurisdiction (AHJ) and code requirements of OT system connectivity. By reviewing the owner’s OT cybersecurity guidance document, the engineer can confirm there are no conflicts with code or design best practices. 

The engineer will include or reference the owner’s appendices in the contract documents to confirm the integration contractor designs and configures the network per the owner’s requirements. Because they are closest to their design, it is likely the engineer will be leaned on to validate the shop drawing process of routing shop drawings to the OT cyber SME per the OT cybersecurity guidance document. 

  • Integration contractor. The integration contractor is possibly the most qualified to provide lessons learned based on their history of constructing OT networks. They also are the likely candidate to populate the construction schedule with milestones and submittal requirements. The integration contractor will be working closely with other contractor team members during the bid, shop-drawing and build phases of the project. 

The integration contractor oversees use-case progress and validates that use cases are realized. The OT IP inventory of devices is consolidated and submitted by the contractor. Depending on the owner’s and general contractor’s preference for implementing smart building technology, the integration contractor may be the BMS controls contractor.

  • General, electrical and mechanical contractors. The general, electrical and mechanical contractors validate owner cyber elements are included in the bid and confirm cyber deliverables are included in the construction schedule. The owner’s IT or OT cyber SME will have action items to be tracked in the construction schedule. Each contractor needs to understand the requirements of the owner’s OT cybersecurity guidance document as it pertains to their scope. 

Confirming that use cases are correctly coordinated between specifications and contractors is a key element of success. The OT IP inventory of devices will be routed from the device manufacturer through the general, electrical and mechanical contractors to the integration contractor.

  • Equipment manufacturers. As stated, the OT IP inventory of devices will be routed from the device manufacturer through the general, electrical and mechanical contractors to the integration contractor. 

Equipment manufacturers continue to innovate and introduce new products and solutions. Providing education on how these new solutions provide cyberprotective value to owners in terms the design engineer and facility director can understand is a real service. 

Because typical manufacturer cyber engineers have an IT cybersecurity background, their documentation follows IT vernacular. Finding a way to simplify solutions that are device-based and OT network-based will do the field good. 

Manufacturers are starting to receive onerous forms from IT departments. The forms may be typical for IT or medical equipment devices, but may confuse the OT manufacturer filling out the form, resulting in the IT department receiving an incomplete form. Rarely does one form fit all, and manufacturers can assist in the generation of standards related to OT systems that are PHI or PII sensitive (nurse call, etc.) versus those OT systems that are not PHI or PII sensitive (e.g., most electrical and mechanical systems). 

Establish an OT project cyber timeline. Integrating an OT cyber project process into the design and construction schedule provides a path to address cyber-risk concerns. A RACI (responsible, accountable, consulted and informed) chart clarifies roles for each task: the person responsible does the work for the person accountable for the task or the decision maker. The responsible person will either get direction from persons they consult or be given authority to complete the work and only inform certain persons. Tasks include:

  • Planning. During the planning stage, project executive leadership identifies OT cyberprotection as a measurable part of the project. The integration vision is developed, which identifies how the integration of systems will benefit patient care, staff workflow and processes, as well as building efficiency measures that meet the safety and operational goals of the facility. Integration outcomes provide the roadmap to develop use cases in the next phase. 
  • Schematic design. During this phase, each OT system is identified. Use cases are developed such that implementing a group of discrete use cases will accomplish each integration outcome. Each use case is a real, achievable exchange of data between two or more systems that can be commissioned. Also, during this phase, the OT cybersecurity guidance document is addressed for the specific project. 
  • Design development. Finalizing the use cases and updating project specifications to support the construction and commissioning of each use case is the next step. Scope is also defined for the execution of each use case.
  • Contract documents. The owner’s “Health Care Cyber Requirements for Operational Technology” document is referred to or included in the contract document set. 
  • Construction schedule. The general contractor is directly or indirectly responsible for the integrations and includes the deliverables both from the contractors and owner in the construction schedule. 
  • Shop drawing. During the shop-drawing process, the integrating contractor provides the quantity of IP addresses required for the OT network and submits a proposed OT network design based on the owner’s OT cybersecurity guidance document. Per the construction schedule, the owner will provide the IP addresses and approval of the OT network. The owner also coordinates the delivery date of the owner-provided devices (e.g., firewall and switches). 
  • Substantial completion. After equipment is delivered to the site, the integration contractor develops an OT IP inventory of devices. After the building telecommunications rooms are ready to accept IT/OT equipment, the owner will install and configure the OT firewall and switches based on the preliminary IP inventory of devices. The contractor may transfer network connections from the construction staging switches to the permanent OT switches and verify all cyber configurations support building operation. After a successful transition to the permanent switches, the OT IP inventory of devices may be transferred to the owner. 
  • Commissioning. Commissioning has multiple parts, including demonstrating to the owner that each device is configured per the owner’s OT cybersecurity guidance document, demonstrating that each use case will function correctly, and demonstrating a test and development environment if part of the project scope.
  • Turnover. After the owner verifies that the OT network is installed per the OT cybersecurity guidance document, the owner takes over all cyber updates and maintenance items as well as continuous monitoring for fault/intruder detection and incident response.

Develop the project use cases. Use cases provide the reason to integrate. Smart buildings are a consolidation of use cases, and each use case is a description of an outcome and how the designer envisions data to be shared within or across systems. Use cases may be developed throughout the project design cycle and may be the result of a project integration visioning session. Clearly representing use cases in the project documents and to the project team will allow the OT cyber SME to conceive a cyberprotective plan for the contractor to follow. 

Issue the project-specific OT cybersecurity guidance document. The OT cyber SME issues the OT cybersecurity guidance document initially internally to the health care facility. After use cases are determined and the cyber-risk of each is understood, cyberprotective measures may be put in place. It is recommended that this document is initially drafted and revised as project design details solidify about technology integration, and that it is finalized so that it can be externally issued to support project construction efforts. 

The OT cybersecurity guidance document may cover recommendations and guidance from IT’s RMF efforts; a list of OT systems applicable to the standard; OT-specific cyber requirements affecting construction contractor system selection, configuration and integration; applicable owner security requirements or policies to OT systems; policies on firewall and additional network segmentation information; construction projects and hospital operations; and any other considerations. 

Include the cyber requirements for operational technology in project documents.Health Care Cyber Requirements for Operational Technology” is the capstone of the monograph by providing direction for the integration contractor to bid, build and commission the OT IP network per the health organization’s standards.

Include OT network architecture in project construction documents. OT network architecture is a visual format of the proposed OT network layout, including physical and virtual segmentation, and illustrates the scope split of hospital departmental ownership of the network, providing direction for the integration contractor to bid, build and commission the OT IP network per the health care organization’s standards.

Managing cyber-risks 

Facilities professionals are responsible for preventing unauthorized access to their plants, resources, systems, machines and networks, which should only be connected to an enterprise network or the internet if and to the extent that such a connection is necessary and only when appropriate security measures are in place. 

There is no guarantee that this framework will prevent cyberattacks, only that it will allow professionals to organize and manage cyber-risks in designing a modern health care facility. 

The cyber designer shall refer to all applicable standards and best practices for their cyber plan.

Tim Koch is a vice president and engineering principal at HDR in Omaha, Neb.; Owen Redwood is the chief research officer at Nebraska Applied Research Institute; Ken Hansen is the vice president/associate vice chancellor for facilities management and planning at the University of Nebraska Medical Center and Nebraska Medicine; and David Hahn is a technology consultant and IT systems architect at HDR in Omaha. They can be reached at tim.koch@hdrinc.com, owen.redwood@nari.nebraska.edu, hansenkl@unmc.edu and david.hahn@hdrinc.com