Modern hospitals rely on a vast network of connected equipment that extends far beyond traditional IT systems. From elevators and heating systems to sterilizers and pneumatic tube networks, operational technology (OT) now permeates nearly every facet of healthcare delivery. Yet as these systems grow more interconnected, they as well introduce significant cybersecurity vulnerabilities that often go unnoticed by conventional security measures.
Three prominent healthcare cybersecurity leaders recently highlighted this growing concern during a panel discussion hosted by healthsystemCIO, emphasizing that OT environments have become one of the sector’s most critical blind spots. According to their insights, the risk lurking within these systems may exceed what most health systems would tolerate if they had full visibility—a reality underscored by recent industry surveys showing persistent gaps in asset awareness and protection.
The discussion featured Skip Sorrels, Field CTO and CISO at Claroty; Steven Ramirez, VP and CISO at Renown Health; and Jim Kuiphof, Deputy CISO at Corewell Health. Each described how routine facility equipment—often managed by non-IT departments—runs on the same networks as sensitive patient data, creating pathways for potential cyber intrusions. Sorrels noted that while healthcare organizations have spent years defending against threats targeting electronic health records, attackers are increasingly likely to shift focus toward the industrial systems that keep hospitals running.
“It’s only a matter of time before the hackers realize that what they’ve been doing for 10 years on the industrial side of the world, they’re going to apply to healthcare,” Sorrels stated during the session. He added that when he began assessing peer institutions two years prior, fewer than half could clearly define operational technology, and many security teams lacked visibility into equipment overseen by facilities management.
This lack of awareness extends to how devices are classified and monitored. At Renown Health, Ramirez explained that his team implemented a framework to categorize every connected asset as either patient-supporting or non-patient-supporting. For example, a recent upgrade to the hospital’s pneumatic tube system was classified under OT due to its role in transporting medications and specimens—despite not being a clinical device in the traditional sense.
The challenge is further compounded by organizational silos and inconsistent processes. A 2025 survey conducted by Asimily, an IoT and OT risk mitigation platform, found that 43% of hospital CISOs identified complete visibility into network-connected medical devices as their top cybersecurity challenge. When asked about barriers to effective risk management, one-third cited internal process issues, while 30% pointed to ongoing visibility gaps and 20% cited data overload.
Compounding these issues, the survey revealed that only 22% of hospital CISOs prioritize vulnerability remediation based on device usage and clinical criticality—a method widely regarded as best practice for focusing limited resources on the highest-risk assets. Instead, 18% rely on manual review processes, and 15% admit to having no formal procedure at all for addressing weaknesses in internet-connected medical equipment.
These findings align with broader concerns about the expanding attack surface in healthcare environments. As more building systems, logistics tools, and support infrastructure become IP-enabled, the line between IT and OT continues to blur. Unlike traditional servers or workstations, many OT devices were not designed with cybersecurity in mind, often running outdated software or lacking basic authentication controls.
In response to these threats, the panelists converged on a single practical solution: network segmentation. By isolating operational technology networks from those handling electronic health records and other sensitive data, hospitals can limit the lateral movement of attackers even if a breach occurs. Segmentation allows security teams to apply tailored monitoring and access controls to different zones, reducing the likelihood that a compromised elevator controller could lead to exposure of patient records.
Ramirez emphasized that segmentation is not merely a technical tactic but a strategic necessity. “We treat OT like a separate zone with its own rules,” he explained. “That doesn’t mean we ignore it—it means we understand its unique risks and protect it accordingly.” This approach requires collaboration between IT, clinical engineering, and facilities teams to map out device interactions and enforce boundaries without disrupting essential services.
Experts agree that achieving effective segmentation begins with discovery. Hospitals must first inventory all connected assets, understand their communication patterns, and assess which systems pose the greatest risk if compromised. Tools that provide passive network monitoring and behavioral analysis are increasingly used to map these environments without impacting performance.
The urgency is heightened by evolving threat intelligence. While ransomware remains a dominant concern—cited by 24% of respondents in the Asimily survey as a top priority—there is growing evidence that adversaries are probing healthcare OT environments for weaknesses. Past incidents involving ransomware targeting building management systems or diagnostic imaging devices demonstrate how disruption to non-clinical operations can cascade into patient care impacts.
Looking ahead, industry leaders stress that cybersecurity in healthcare must evolve beyond protecting data to safeguarding continuity of operations. As Sorrels put it, “The goal isn’t just to stop hackers from stealing information—it’s to make sure the lights stay on, the elevators run, and the sterilizers work when they’re needed.”
For healthcare leaders seeking to strengthen their defenses, the next steps involve conducting comprehensive asset inventories, adopting segmentation frameworks aligned with clinical risk assessments, and fostering cross-departmental accountability for OT security. Guidance from organizations such as the Health Industry Cybersecurity Practices (HICP) and the National Institute of Standards and Technology (NIST) continues to evolve in response to these challenges.
As hospitals navigate this complex landscape, maintaining awareness of what’s connected—and ensuring it’s properly isolated—remains a foundational step toward resilience.
Stay informed about developments in healthcare cybersecurity by following updates from trusted sources such as the Health Sector Coordinating Council and CISA’s Healthcare and Public Health Sector portal. Share your thoughts on how hospitals can better protect their operational technology in the comments below, and facilitate spread awareness by sharing this article with colleagues in the field.