Operational technology systems in healthcare facilities—ranging from heating and ventilation to medical gas delivery and pneumatic tube networks—have become critical yet poorly understood cybersecurity challenges. While hospitals invest heavily in protecting electronic health records and network infrastructure, the specialized equipment that keeps buildings running and patient care flowing often falls through the cracks of traditional IT security frameworks. This gap in protection has drawn increasing attention from cybersecurity leaders who argue that the greatest vulnerability in OT security isn’t technical at all, but organizational: determining who actually owns the risk when systems span multiple departments.
Recent discussions among healthcare cybersecurity executives highlight how the convergence of physical infrastructure and digital systems has created complex ownership questions. When a hospital’s elevator system connects to a network for maintenance monitoring, or when medical imaging devices rely on facility-wide cooling systems, the lines between facilities management, biomedical engineering, and information technology departments blur. This organizational ambiguity can delay risk assessments, complicate incident response, and leave critical systems exposed despite investments in cybersecurity tools.
To understand how leading health systems are approaching these challenges, it’s essential to examine the verified backgrounds and current roles of the professionals involved in these conversations. Jim Kuiphof serves as Deputy Chief Information Security Officer at Corewell Health, a position he has held following the 2022 merger of Spectrum Health and Beaumont Health that created one of Michigan’s largest healthcare systems. His responsibilities include overseeing the enterprise-wide information security program and leading the Cyber Fusion Center, which handles threat intelligence, incident response, and security operations across the organization’s 22 hospitals.
Steven Ramirez holds the title of Vice President and Chief Information Security Officer at Renown Health, Nevada’s largest locally governed, not-for-profit healthcare network. In this role, he directs cybersecurity strategy for a system that includes Renown Regional Medical Center, Renown South Meadows Medical Center, and numerous outpatient facilities across northern Nevada. His leadership encompasses security architecture, threat management, and compliance efforts tailored to the unique challenges of protecting healthcare infrastructure in a geographically diverse region.
Skip Sorrels functions as Field Chief Technology Officer and Field Chief Information Security Officer at Claroty, a company specializing in cyber-physical systems security for industrial and healthcare environments. In this dual role, he works directly with healthcare organizations to assess operational technology risks, develop segmentation strategies, and implement monitoring solutions designed to protect devices ranging from building automation systems to surgical equipment. His field position provides him with frontline insights into how hospitals across the country are managing—or struggling with—OT security integration.
Their collective expertise stems from years of hands-on experience securing complex healthcare environments where traditional IT security approaches often fall short. Unlike standard office networks, hospital operational technology includes life-supporting systems where cyber incidents could have immediate physical consequences. A compromised HVAC system might affect operating room sterility, while disrupted medical gas alarms could compromise patient safety during anesthesia. These real-world implications elevate the stakes beyond data breaches to include potential harm to patients and disruption of critical care services.
When examining why OT security presents unique challenges, these leaders consistently point to unclear accountability as the primary obstacle. In many hospitals, facilities management teams maintain responsibility for building systems like elevators and climate control, biomedical engineering departments service medical devices, and IT departments oversee network security—yet none may perceive fully responsible for the cybersecurity of systems that exist at the intersection of these domains. This fragmentation can lead to gaps where vulnerabilities go unaddressed simply because no single department claims ownership.
The concept of segmentation emerges as a practical strategy for managing this complexity. By dividing network traffic into isolated zones—separating, for example, public Wi-Fi from clinical systems or isolating building automation controls from patient-facing networks—organizations can limit the potential spread of cyber threats. Segmentation doesn’t eliminate risk but creates valuable time for detection and response when incidents occur, effectively “buying time” for security teams to investigate and contain threats before they reach critical systems.
Third-party access represents another significant concern in OT security ecosystems. Healthcare facilities routinely rely on external vendors for maintenance, upgrades, and monitoring of specialized equipment—from elevator service companies to biomedical equipment technicians. Each external connection introduces potential pathways for cyber threats, particularly when vendors use remote access tools that may not align with the hospital’s security policies. Managing these relationships requires clear contracts, monitored access controls, and ongoing verification that vendors follow security protocols.
Perhaps most importantly, these cybersecurity leaders emphasize that focusing solely on vulnerability counts misses the point of effective risk management. A system might have numerous theoretical weaknesses identified through scanning tools, but if those weaknesses cannot be practically exploited due to network segmentation, monitoring controls, or physical isolation, they pose less immediate danger than a single exploitable flaw in a critical pathway. This shift toward exploitability-based assessment helps organizations prioritize limited resources where they can produce the most meaningful difference in reducing actual risk.
The evolving nature of healthcare technology continues to reshape these discussions. As hospitals adopt more connected devices—from smart beds that monitor patient movement to pharmacy robots that dispense medications—the attack surface expands in ways that traditional security models weren’t designed to handle. Simultaneously, the increasing use of artificial intelligence in building management and clinical operations introduces new considerations for how machine learning systems interact with legacy operational technology.
For healthcare organizations seeking to improve their OT security posture, several practical steps emerge from these expert conversations. First, establishing clear governance structures that define responsibility for OT risk across departments can eliminate ambiguity. Second, implementing network segmentation based on criticality and function helps contain potential breaches. Third, developing specific protocols for vendor access reduces third-party risks. Finally, adopting risk assessment methodologies that prioritize exploitability over simple vulnerability counts ensures resources focus on the most pressing threats.
The conversation around operational technology security in healthcare remains active and evolving. As systems become more interconnected and threats grow more sophisticated, the need for clear ownership, practical controls, and risk-based prioritization will only increase. Healthcare leaders who successfully navigate these organizational and technical challenges will be better positioned to protect both their digital infrastructure and the physical systems that enable safe, effective patient care.
Those interested in following developments in healthcare OT security can monitor announcements from major healthcare systems, track guidance from the Health Sector Coordinating Council’s Cybersecurity Working Group, and review publications from organizations like the Cybersecurity and Infrastructure Security Agency (CISA) that address healthcare-specific threats. These sources regularly provide updates on emerging risks, recommended practices, and incident reports relevant to hospital operational technology environments.
As healthcare continues to integrate digital and physical systems in pursuit of better patient outcomes, the collaboration between facilities teams, biomedical engineers, and IT security professionals will remain essential. The organizations that succeed will be those that recognize that in OT security, the most important defenses aren’t just firewalls and encryption—they’re the clear lines of responsibility and communication that ensure everyone knows exactly who owns the risk.