The cross-sector Cybersecurity Performance Goals (CPGs) released last fall by the Cybersecurity and Infrastructure Security Agency (CISA) addresses an important but often overlooked facet of the cyber-risk landscape: operational technology (OT).

The CPGs build upon CISA’s previous efforts to help organizations harden cyber defenses as well as the work of other federal entities such as the National Institute of Standards and Technology (NIST), which, in 2014, created the Cybersecurity Framework. The framework helps to create a common cyber-risk language and integrate industry standards and best practices into easily accessible guidance. A 2.0 version of the framework is currently in the works.

However, with cyberattacks increasing at an exponential rate, CISA says that, even with this framework, health care organizations are often left wondering how to best direct limited cybersecurity spending, especially within OT. 

“We hear the global operational technology and industrial control systems community clamor to be seen and recognized alongside traditional information technology (IT) security and supported in their essential role,” says Jen Easterly, CISA director. “It became clear that even with comprehensive guidance from sources like the NIST Cybersecurity Framework, many organizations would benefit from help identifying and prioritizing the most important cybersecurity practices.”

Although the CPGs address OT cybersecurity in great depth, cybersecurity of IT systems does still take equal focus, and for good reason. 

The latest data from the Department of Health and Human Services shows that health care organizations suffered 503 hacks impacting 38 million individuals from January to November 2022, many of them ransomware attacks targeting patient data. But as cybercriminals broaden their attack surface, leaders in the cybersecurity industry are sounding the alarm that cyber-physical resources such as internet-connected medical equipment, building automation and communication devices need the same level of protection and attention as IT to protect patients. 

“There is a lack of understanding of the security that’s required for OT devices, as well as the risks they pose,” says Renee Jacobs, CHFM, CHC, FASHE, business development manager – health care, Distech Controls Inc. “What does a breach on the OT side look like, and what does it impact? OT is typically on a separate network than IT so that it won’t be tied to protected health information, but that doesn’t mean it’s not impacting patient care. If the air-handling unit turns off in the middle of a surgery and proper air changes are not maintained in the operating room, patient safety is impacted. Other adverse effects from a cyberattack to the life safety systems such as the emergency generator, fire alarm and medical gas systems may also impact patient safety.”

Although the harm caused by cyberattacks on physical assets has yet to be quantified and hospitals are uneager to reveal threats and attacks, past events do prove the susceptibility of internet-connected assets. 

The 2017 WannaCry virus spread by hackers operating from North Korea targeted medical devices that were using Microsoft Windows-based programs that hadn’t been updated. And in 2011, a leader of a hacking operation in Texas was sentenced to more than nine years in prison after installing malware on a dozen computers and installing a remote-access program on a Windows-controlled HVAC system at the Northern Central Medical Plaza in Dallas. 

The CPGs strive to address these types of vulnerabilities by providing an approachable common set of IT and OT cybersecurity protections that are clearly defined, straightforward to implement and aimed at addressing some of the most common and impactful cyber risks. 

For example, one of the CPGs outlined is to prohibit connection of unauthorized devices, with a specific note that organizations should develop a procedure to “remove, disable or otherwise secure physical ports to prevent the connection of unauthorized devices” to OT assets.

The report also emphasizes the need for designated OT leadership and collaboration between OT and IT departments. Authorizing a single leader over OT cybersecurity helps to combat a lack of accountability, investment or effectiveness of an OT cybersecurity program. In addition, the CISA report acknowledges that poor working relationships and a lack of mutual understanding between IT and those managing OT also results in increased cyber risk. Jacobs says this is a common frustration among many of her health care clients. 

“As a vendor, we will go through a vetting process about the security of our devices as required by a hospital’s IT department,” Jacobs says. “But as we go through those questions, they tend to be much more geared toward IT versus OT, which makes it difficult to answer those questions because they don’t fit with this type of technology. Oftentimes, the IT departments aren’t vetting the OT devices with the right set of criteria.”

Jacobs says one development that may help to bridge this knowledge gap is the move toward Internet Protocol-based building controls and automation because these technologies can be hosted on a hospital’s network server. But whether a facility has upgraded its building technology or not, Jacobs says all facilities can and should take actions to become more proactive in their OT cybersecurity. 

“It first starts with a risk assessment,” Jacobs says. “Evaluate and document risk, and bring IT into the conversation early. In making sure IT is engaged in the conversation, it ensures everyone is aware of the risks. They need to be sitting at that table and having the conversation with the facilities department.”