<description>&lt;p&gt;In an era where healthcare systems are prime targets for cyberattacks, experts are broadening their focus to encompass not just IT systems, but also operational technology (OT) security. Christopher Lau, Director of Cyber Security, Proactive Security, and IoT Risk at Advocate Health, shared his expertise in a recent interview, emphasizing the unique and critical challenges [&amp;#8230;]&lt;/p&gt;
&lt;p&gt;Source: &lt;a href="https://healthsystemcio.com/2024/11/05/christopher-lau/"&gt;OT/ICS Likely Next Critical Cyber Battleground; And Different Skills Are Required&lt;/a&gt; on &lt;a href="https://healthsystemcio.com"&gt;healthsystemcio.com - healthsystemCIO.com is the sole online-only publication dedicated to exclusively and comprehensively serving the information needs of healthcare CIOs.&lt;/a&gt;&lt;/p&gt;
</description>

In an era where healthcare systems are prime targets for cyberattacks, experts are broadening their focus to encompass not just IT systems, but also operational technology (OT) security. Christopher Lau, Director of Cyber Security, Proactive Security,

In an era where healthcare systems are prime targets for cyberattacks, experts are broadening their focus to encompass not just IT systems, but also operational technology (OT) security. Christopher Lau, Director of Cyber Security, Proactive Security, and IoT Risk at Advocate Health, shared his expertise in a recent interview, emphasizing the unique and critical challenges posed by OT in healthcare. His insights reveal the often-overlooked vulnerabilities in medical and industrial control systems, offering a new perspective for healthcare IT professionals striving to fortify their organizations against evolving threats. 
A Unique Focus on OT Security in Healthcare 
With healthcare’s heavy reliance on operational technology—from HVAC systems to medical devices—the need for robust OT security has become increasingly urgent. Lau underscored that Advocate Health, as one of the country’s largest health systems, faces an unprecedented cybersecurity challenge following its recent merger with Atrium Health, now encompassing over 50 hospitals and 150,000 employees. “There is a lot of opportunity for growth and to serve the communities and patients in our areas,” Lau explained, “but also a lot of opportunity for attackers, unfortunately.”​ 
Historically, healthcare cybersecurity efforts have focused primarily on IT. However, with OT systems that control physical elements like building automation and medical devices now vulnerable, attackers have an additional avenue to disrupt healthcare operations. “If an IT system goes down, it’s kind of an inconvenience,” Lau observed. “With OT, you’ll really notice it.” In healthcare, where environmental controls are essential to patient care, the impact of OT breaches could shutter the facility. 
Understanding the Critical Risks of OT in Healthcare 
Operational technology differs fundamentally from traditional IT, operating in the physical world rather than the digital one. Lau highlighted that OT systems in healthcare facilities require nearly constant availability to maintain safe, regulated environments. This difference also extends to the types of threats they face. “If attackers can shut down critical OT systems, like HVAC or elevators, it could force a hospital to evacuate,” Lau warned, painting a vivid picture of the risks posed by OT-focused ransomware attacks​. 
He drew attention to the risks associated with aging OT infrastructure, much of which lacks modern cybersecurity defenses. “A lot of industrial control systems from the Clinton administration are not going to have the same security features that current systems have,” he noted, emphasizing the need to address outdated technology that is still crucial to healthcare operations​. 
The Overlooked Threat of Unsegmented Networks 
Many healthcare systems lack dedicated OT security teams, meaning that OT is often managed by traditional IT teams ill-prepared to handle its unique demands. This lack of specialization can lead to network segmentation issues, as IT and OT networks may share resources without proper isolation, which increases vulnerabilities. According to Lau, “Usually, you don’t see dedicated incident response or network monitoring for OT. They try, more often than not, to jam it into the IT funnel, and it just doesn’t work.”​ 
To address these risks, Lau recommended separating OT networks from IT networks wherever possible, creating dedicated incident response and disaster recovery plans for OT, and providing targeted security training for teams managing OT systems. 
Building an Effective OT Security Team 
Establishing a specialized OT security team is essential, but the unique expertise required makes hiring a challenge. In response, Lau adopted a creative approach at Advocate Health. “If you’re trying to find just people with an engineering background or an ICS background, that is a chocolate-covered unicorn with sprinkles,” he joked,

healthsystemCIO.com

OT/ICS Likely Next Critical Cyber Battleground; And Different Skills Are Required

OT/ICS Likely Next Critical Cyber Battleground; And Different Skills Are Required

Description