Reading Time: 4 minutes
Category: Industrial Technology
Summary
Cybersecurity in hospitals isn’t just about protecting data.
It’s about protecting life.
When an attacker takes control of hospital systems, it’s not a spreadsheet that breaks. It’s the oxygen supply, the water treatment system, the temperature control in the ICU. A single digital command can ripple into the realy world: quietly, instantly, dangerously.
We proved it.
At the ONE Conference (Europe’s prime cybersecurity forum), our live demo – Hack the Hospital – showed exactly how attackers can hijack operational technology inside a hospital.
We didn’t steal information.
We changed reality.
The forgotten half of cybersecurity
Every CISO knows their IT stack: firewalls, endpoints, cloud workloads.
But the physical side – OT – is often a blind spot.
Yet OT runs the systems that keep hospitals (and patients) alive:
- The pumps that move clean water
- The chemical dosing system
- The HVAC, controlling pressure and air quality
- PLCs and sensors (that no one has patched since 2009)
These aren’t just systems. They’re life support, literally.
And most are connected, often directly, to the same network your email runs on.
In our demo, attackers accessed the hospital’s water treatment system through a compromised VPN account. Within minutes, they could alter chemical levels without triggering any alarms.
The dashboards looked normal. The situation was not.
Why hospitals are prime targets
Hospitals sit at the crossroads of high stakes and low defenses.
They’re filled with:
- Legacy OT systems running decades-old software
- Complex supply chains with third-party access
- Tight budgets that can’t keep up with the risk
To attackers, hospitals are the perfect target: critical, connected, and slow to change. If you control the machines that keep people alive, you have the perfect leverage.
This isn’t just theory either.
- San Francisco Bay Area, 2021: Attackers accessed water treatment controls via TeamViewer, deleting chemical dosing files. Early detection prevented poisoning.
- Düsseldorf University Hospital, 2020: Ransomware shut down hospital IT and OT systems, causing a patient death due to delayed care.
These aren’t just ‘cyber incidents’. These are public safety failures.
The hard truth: OT is a door you forgot to lock
In most hospitals, IT and OT still share a network. This means that one compromised account, one wrong click on a phishing email, one forgotten VPN, and attackers can jump straight into the systems that control the building – and your patients’ environment.
And unfortunately, defending OT isn’t like defending IT.
You can’t install EDR on a 20-year-old controller.
You can’t patch equipment that’s always-on for patient safety.
You can only segment, monitor, and verify – or accept the risk.
The CISO Playbook: Start where it hurts the most
There’s a long and extensive list of actions that can (and perhaps should) be taken, but it’s not about ticking all the boxes. Forget perfection. Go for control.
- Segment or surrender. If IT and OT talk freely, you’re already breached, you just don’t know it yet.
- Know what you own. Create an asset inventory and assign responsibility. You can’t defend against what you can’t see.
- Kill default credentials. Shared vendor passwords are open doors. Close them. And change those default passwords whilst you’re at it.
- Reduce exposure. Turn off what you don’t use. Every service you leave running is another target.
- Run drills, not audits. Simulate OT failure. Learn how your team responds when systems go dark.
These actions may not be glamorous, but they do save lives.
Zero Trust: The only cure that works
Hospitals can’t afford blind trust: not in devices, networks, or vendors. That’s where Zero Trust comes in.
It’s not just a buzzword. It’s triage.
Isolate what’s infected. Verify every connection. Grant access only when you must – and only for as long as needed.
It’s not about paranoia, not about not trusting your people. It’s about precision and control. The next OT incident won’t come with warning signs or blinking alerts – it will come disguised as ‘normal’.
Zero Trust keeps ‘normal’ from becoming lethal.
Act before it’s too late
The threats are already inside the system. The question isn’t if OT will be targeted, it’s when. And whether or not you’ll see it coming.
CISOs and hospital leaders face a simple choice: act now, or react later.
Segment. Verify. Plan. Practice.
Cyber risk in healthcare is no longer about compliance. It’s about survival. Protect what keeps people alive. Because when it comes to OT, this isn’t an exercise. It’s life or death.
