Summary
On paper, hospital cybersecurity’s vitals look stable.
Policies documented. Audits passed. Dashboards green. If you needed to present to your board tomorrow, you could make it look reassuring. Most CISOs can.
But earlier this year, we hosted a closed Hack the Hospital roundtable with CISOs, IT leaders, and auditors from across the Netherlands. Off the record. No slides, no PR filter. And what came up wasn’t phishing, tooling gaps, or budget complaints.
It was structural exposure.
Two things kept surfacing: large parts of the hospital environment remain invisible; OT systems, vendor connections, legacy infrastructure that nobody has eyes on. And the mechanisms designed to provide assurance, audits, certifications, compliance frameworks, are measuring the wrong things.
That combination doesn’t show up in a compliance report. But it shows up fast when something goes wrong.
This blog captures what was said in that room, and what it means for anyone responsible for keeping a hospital running under attack.
The systems nobody is watching
Ask a hospital CISO what they’re protecting and they’ll describe the obvious: laptops, servers, cloud infrastructure, patient data.
Ask them what worries them most, and the answer shifts.
HVAC controllers. Lab automation systems. Imaging workstations running operating systems that predate the iPhone. Infusion pumps connected to the same network as everything else.
These systems keep patients alive. They also can’t be patched, can’t run endpoint agents, and in many cases produce no logs that anyone is actively reviewing.
In the roundtable, multiple participants said the same thing in different ways: they don’t have full visibility into their OT environment. Not because they haven’t tried. But because these systems were built to last thirty years, not to be monitored, segmented, and continuously verified.
And because OT rarely appears prominently in audit frameworks, the blind spot is never formally surfaced. It just persists.
An attacker who moves quietly through OT infrastructure has time on their side. In most hospitals today, they would not be seen until something stopped working.
The access nobody can revoke
This was the moment in the room that generated visible discomfort.
Medical device vendors require network access to support and maintain their equipment. That’s legitimate. What’s less comfortable is what happens next.
Once the contract is signed, once the system is embedded in clinical workflows, the hospital’s ability to restrict that access effectively disappears. Security teams described the same cycle repeating across institutions:
- Attempt to limit vendor access.
- Face resistance.
- Receive a warning that uptime cannot be guaranteed if access is restricted.
In a hospital, “uptime cannot be guaranteed” is not a negotiating position. It’s a clinical threat.
So, the access stays. Broader than it should be. Persistent when it should be time-limited. Connected to systems it doesn’t need to reach.
This is not a failure of your SOC. It’s a procurement problem that became a security problem, and it happened before your security team had any say in it.
Vendor dependency in healthcare isn’t incidental. It’s structural. And structural risk doesn’t go away because you’ve documented it in a risk register.
Audit ≠ Resilience
Here’s what an audit confirms: that your controls are documented, your roles are defined, your governance structure exists on paper.
Here’s what an audit does not confirm: whether you can contain ransomware spreading through your OT environment at 2am on a Saturday.
Every CISO in that room understood this. Most had stories that illustrated it. The audit passes. The certification is renewed. And somewhere in the building, there’s a legacy imaging system on a flat network segment that nobody has touched in four years because touching it means risking clinical availability.
Compliance measures documentation.
Resilience measures survival.
They are not the same standard. Treating them as equivalent is one of the most expensive mistakes in healthcare security.
Why availability changes every decision you make
In most industries, the CIA triad starts with confidentiality. In healthcare, it starts with availability, and everything else follows from that.
When lab systems go offline, surgeries are postponed. When imaging fails, clinicians work without diagnostic support. When environmental controls malfunction, operating theaters close.
Downtime in a hospital isn’t a financial inconvenience. It is delayed care. In the worst cases, it is harm.
Every security decision gets made in that context. Patch windows compress because systems can’t go offline during clinical hours. Vendor access stays broad because restricting it risks availability. Segmentation is implemented cautiously because the dependencies between systems are poorly mapped and nobody wants to find out what breaks.
Each of those decisions is defensible in isolation.
Together, they create an exposure profile that doesn’t appear in any quarterly security report, until something forces it to.
The question your board isn’t asking, but should be
“Are we compliant?” is the wrong question.
The right question is: if we’re under active attack right now, how far can they go?
How many systems can an attacker reach from a single compromised vendor credential? How quickly can you isolate OT from IT if something starts spreading? How long before you even know it’s happening?
Legacy systems aren’t going away. Vendor dependencies aren’t going away. Audits will continue to be passed.
So, the issue isn’t perfection. It’s containment. And containment requires limiting implicit trust, in vendor access, in flat network architectures, in the assumption that because something has always been connected, it should remain so.
Where Zero Trust actually matters
Zero Trust gets discussed a lot as a framework. In healthcare, it’s more useful to think of it as a discipline for one specific problem: limiting how far disruption travels.
Not eliminating risk. Not replacing legacy systems overnight. Not solving the vendor dependency problem in a single procurement cycle.
But: who can reach what, under what conditions, for how long, and can you answer that question for every system in the building, including the ones that haven’t been on anyone’s radar?
In a hospital, the difference between a contained incident and a care-disrupting crisis often comes down to blast radius. Zero Trust is the methodology for making that radius smaller.
The CISOs in that room weren’t looking for a perfect environment. They were looking for one where a compromise doesn’t cascade.
That’s an achievable goal. But it requires treating availability and security as complementary, not as competing priorities, and building governance structures that address risk before it becomes embedded in a contract.
How to Reduce Cyber Risks and Lower Cyber Insurance Premiums
Data breaches pose significant financial risks to organizations and society. Implementing Zero Trust (ZT) strategies offers greater cyber risk resilience by ringfencing sensitive data, limiting lateral movement, and reducing breach impact. However, technical measures alone are insufficient for optimal cost reduction.
FAQ
Because audits measure documentation and governance. They don’t test whether you can contain an active attack in your OT environment. Compliance and resilience require different standards, and currently, most healthcare organizations are only formally measured on one of them.
OT (operational technology) includes HVAC systems, lab automation, imaging devices, infusion pumps, and building management platforms. These systems directly support patient care, are often unmonitorable with standard tools, and create significant visibility gaps that attackers can exploit.
Because medical device vendors require network access as a contractual condition of support, and once clinical systems depend on that access, restricting it becomes a clinical risk decision, not just a security one. The problem is baked into procurement before security teams are involved.
It means you can satisfy every compliance requirement and still be unable to contain ransomware spreading through your environment. Audits verify documentation. Resilience is measured by how fast you can limit damage when something goes wrong.
By focusing on blast radius reduction: identity-based access controls, time-limited vendor sessions, OT/IT segmentation, and governance that treats implicit trust as a risk, not a default. The goal isn’t a perfect environment. It’s one where a compromise doesn’t cascade into a care disruption.
