For localized information and support, would you like to switch to your country-specific website for {0}?
- Insights
- Healthcare Transformers
- Cybersecurity in healthcare: IT, OT, and IoMT security and beyond
Key takeaways
Sensitive patient data has high value to threat actors, and when combined with complex connected technologies, can make healthcare systems an attractive target for cybercriminals
Successful cyber attacks can significantly compromise operations, financial stability, and patient safety
Organizations must champion proactive cyber resilience throughout the ecosystem to remain secure against existing and evolving threats
Healthcare organizations have some of the most diverse and complex asset ecosystems across any industry. The patient journey from initial admission and diagnosis, through to treatment, final discharge, and potentially follow-up care, is supported by an extensive web of systems and tools. Outdated legacy technologies are blended with innovative digital solutions that bring the promise of improved outcomes and efficiencies. While this digital transformation is necessary, it creates an ecosystem with an ever increasing “attack surface” that is vulnerable to sophisticated threats.1
During a panel discussion, experts from cybersecurity organizations Fortinet and Armis, along with Roche Diagnostic’s Global Head of Product Security and Privacy Organization, Olivier Convard, discussed these risks. They believe they extend beyond cyberattacks, and healthcare organizations must embed cyber resilience into every process to ensure patient safety is at the forefront of any strategy for IT, OT, and IoMT security.
Unique cybersecurity risks in healthcare
Healthcare organizations are characterized by complex networks where traditional IT, medical devices, and building infrastructure converge across the modern patient journey. A patient’s data lifecycle begins at intake, where their “digital twin” is created. Confidentiality and restricted access are paramount at this stage to ensure the privacy of a patient’s Electronic Medical Record. The data lifecycle quickly expands during diagnosis, where laboratory and imaging equipment append high-fidelity clinical data. At this stage, the integrity of the information is critical, as even the slightest unauthorized alteration to a diagnostic result can lead to catastrophic clinical errors.
As the patient moves into active treatment, the ecosystem becomes a live stream of information where bedside monitors and automated medication dispensers process real-time vitals. The availability of data is no longer just a convenience, but a life-saving necessity; any system downtime or latency can disrupt the delivery of medication or the monitoring of a failing heart. At discharge, the web of connectivity extends beyond the hospital walls via e-prescribing and remote monitoring devices, carrying security requirements into the home.
However, this clinical flow represents only a fraction of the total operational environment. The security of data relies on technical controls such as computers and cloud-based instruments, administrative controls such as policies, procedures, and training, and physical controls within the healthcare system, which can often be overlooked by security teams. For example, if a hospital's parking gates, automated doors, or elevators fail, the patient journey is halted before it even begins.
Vulnerabilities in non-medical operational technology (OT) systems can also pose a threat to clinical care. Heating, Ventilation, and Air Conditioning (HVAC) units and humidity regulators are critical to maintaining sterile operating environments. If these fail, surgeons are forced to cancel surgeries due to immediate infection risks. In specialized wards, such as those treating tuberculosis, airflow regulation systems are mandatory to prevent localized infection outbreaks that could compromise the health of the entire unit.
Ultimately, this integrated journey creates a sprawling, multi-layered “attack surface” where the confidentiality, integrity, and availability of data are inextricably linked to the physical safety and trust of the patient.2
The economic value of a healthcare breach
Unlike a credit card, which can be easily shut down and replaced if compromised, a medical record is a permanent digital asset that cannot be “reset”.This permanence creates a lucrative marketplace for cybercriminals who exploit the confidentiality, integrity, and availability of patient data through three primary drivers:
Extortion through vital availability: Attackers use ransomware to target the “live-stream” of data in hospital ecosystems and freeze the availability of life-critical systems. They understand that a hospital’s inability to access patient vitals or surgical schedules creates an immediate, life-threatening pressure to pay high-value ransoms.3
Multi-generational fraud cycle: A medical record contains highly sensitive data, including tax IDs, insurance details, and biometrics, and therefore serves as a master key for long-term identity theft. While a credit card is a one-time score, a compromised medical identity allows for years of fraudulent insurance claims, tax redirects, and illegal prescriptions, significantly increasing the lifetime value of the stolen data.3
Weaponizing data integrity: Attackers recognize that the integrity of healthcare data is a hospital’s most sensitive vulnerability. The mere threat of subtly altering blood types or allergy information within a medical record creates a massive liability, making healthcare providers "soft" targets for high-stakes extortion.4
It is perhaps no surprise then that healthcare is currently one of the most targeted critical infrastructure industries globally.5 Recent research indicates that 90% of healthcare organizations experienced a cyberattack in the past year, and 99% of hospitals maintain at least one IoMT or OT device with a known exploitable vulnerability.6,7 This can be a lucrative area for ‘initial access brokers’ who look out for compromised accounts via cloud infrastructure, corporate VPNs, or remote access tools to gain access to the organization’s data. They are then able to sell this information on the dark web to other criminal groups. This type of activity is a growing threat, with research showing a 600% increase from 2023 to 2024, highlighting the importance of IT, OT, and IoMT security.8
Having gained or purchased access to networks, criminal collectives like the Interlock ransomware group are now utilizing the "double extortion" method. They encrypt data to disrupt services, while simultaneously threatening to leak sensitive patient records, which can result in millions of dollars in recovery costs for healthcare organizations. However, the impact of these attacks is not merely financial, it is also clinical. The average downtime following a ransomware attack is 18 days, a period during which clinical care could be severely delayed.6 A stark example from 2024 resulted in the death of a patient when a ransomware attack delayed critical blood test results, preventing timely diagnosis of a severe condition.9
Evolving regulatory requirements
With so much at stake, labs and hospitals are under pressure to adjust and adapt their cybersecurity frameworks. Compliance with regulations is no longer viewed solely as a legal necessity but as a critical component of patient safety, with strategies increasingly focused on the entire healthcare ecosystem. In the EMEA region, regulatory pressures are primarily shaped by a trio of major European Union frameworks—NIS2, DORA, and GDPR—alongside national standards and medical device-specific regulations.10 Regulatory requirements are based around several key themes:6,11
Real-time asset visibility: Organizations must take a dynamic, adaptive view of their environment by maintaining inventories that include unmanaged OT, IoT, and software
Vulnerability & risk management: Organizations must continually assess and prioritize risks based on potential patient harm, operational disruption, and data integrity
Security controls: Increasingly, medical device manufacturers are required to build in security measures such as encryption, access controls, monitoring, and patching during the development phase, rather than leaving the burden of security entirely on HDOs
Supply chain risk management: Organizations are under significant pressure to manage risks from vendors, particularly those with long-standing, unfiltered VPN access into hospital networks
Incident response & reporting: Robust strategies must be in place for threat detection, incident response, and regulatory reporting
Data protection & care availability: Regulations emphasize that data security is non-negotiable and organizations must safeguard access to patient data to maintain services and avoid fatal delays in diagnosis or treatment
Non-compliance with regulatory requirements can have significant implications for organizations, with violations of GDPR principles resulting in fines of up to 4% of global annual revenue.12
A framework-driven approach to IT, OT, and IoMT security
As cyber threats escalate and regulatory pressure increases, healthcare organizations must move beyond fragmented security to a converged, framework-driven approach that prioritizes patient safety and operational continuity. This requires a consistent enforcement layer across IT, OT, and IoMT environments, ensuring that visibility, segmentation, and response operate as a unified system. Cyber resilience is not a one-off project, but a continuous evolution of people, processes, and technology.
To guide these efforts, organizations look to established frameworks like the NIST CSF v2.13 While frameworks define the "what," integrated platforms combining visibility, segmentation, and threat intelligence help operationalize these frameworks across IT, OT, and IoMT environments to help deliver the "how" across key security pillars:6
Identify: This pillar centers on understanding the assets, environment, and risks associated with the organization. Integrated platforms can provide continuous, passive, and agentless discovery across IT, IoMT, and cloud environments to reveal what is connected and where vulnerabilities, and therefore risks, exist
Protect: The protect pillar involves safeguards such as zero-trust access, segmentation, and two-factor authentication, to ensure the delivery of critical services
Detect: Organizations must have the capability to identify the occurrence of a cybersecurity event using deep anomaly detection and behavioral analytics to surface malicious activity quickly. Utilizing services like FortiGuard Labs allows organizations to stay updated on the latest threat intelligence, such as the activity of initial access brokers or specific ransomware groups like Interlock
Respond: This pillar involves taking action once a cybersecurity incident is detected. Effective response requires clear communication between security operations and clinical teams to minimize clinical impact. Under GDPR, organizations must notify their supervisory authority of a breach within 72 hours
Recover: The recover pillar focuses on restoring any capabilities or services that were impaired due to a cybersecurity event. Platforms can provide forensic post-incident insights and continuous improvement data to support recovery and help the organization learn from the event
Govern: The govern pillar is the foundation for a comprehensive cybersecurity program and focuses on leadership and organizational strategy. Frameworks like NIS2 now introduce top-management accountability for non-compliance, effectively bringing cybersecurity into the boardroom
A proactive approach
A robust cybersecurity architecture in healthcare provides a comprehensive defense-in-depth approach that protects not only traditional IT systems but also the expansive attack surface of medical devices and building management systems. By integrating platforms for deep visibility and automated enforcement, organizations can move from reactive measures to proactive resilience and see several benefits.
One of the most significant benefits is the direct improvement to patient safety and clinical outcomes. A robust architecture ensures the availability and integrity of medical data, which is critical to avoid lengthy downtimes and protect the care-enabling services that underpin a facility, such as elevators and HVAC units. Research showed almost 30% improvement in patient outcomes by avoiding downtime caused by ransomware attacks.14
Beyond safety, a robust approach drives operational efficiency in organizations struggling with limited resources and personnel. Integrated platforms allow security teams to identify new assets on the network in under a minute, a process that traditionally takes several hours. Automation also leads to up to 80% reduction in manual security overhead, cutting through the administrative burden of opening and closing tickets so that staff can focus on actual risk mitigation.15 This streamlined process has contributed to a seven-fold increase in the rate of closed security findings and almost 60% reduction in patch cycle time.15,16
The financial and resource gains are equally substantial. By maintaining real-time visibility into medical device fleets, hospitals can optimize equipment usage and avoid duplication of purchases, often resulting in significant cost savings.17 Furthermore, using segmentation as a compensating control reduces the impact of an attack, ensuring that a single compromised device cannot paralyze an entire facility. This consolidation into a unified architecture also reduces tool fragmentation and lowers the total cost of security, which is essential for organizations operating under tight budgets.18
The ultimate benefit: Digital trust
A robust architecture is the foundation for regulatory compliance and provides the technical capabilities required to meet strict mandates like NIS2, DORA, and GDPR. It does this by specifically addressing requirements for real-time asset visibility, incident response, and supply chain risk management. The architecture also supports a "Digital Trust" framework. The stakes of healthcare cybersecurity are no longer limited to protecting data privacy; they are directly linked to patient outcomes. Organizations must work towards "Digital Trust" by prioritizing transparency, shared responsibility, and robust data governance. A framework based on this ensures that as healthcare innovates with digital transformation, the environment remains secure, compliant, and patient-centered. By treating healthcare cybersecurity solutions as a fundamental component of patient safety, healthcare providers can ensure they remain trusted partners in a digital-first world.
Get our latest insights
Join our community and stay up to date with the latest laboratory innovations and insights.
Contributors
Mohammad Waqas
Mohammad Waqas is an information security executive with over 20 years of experience in the cybersecurity industry. In his current capacity as the CTO of Healthcare at Armis, Mohammad helps healthcare organizations across the globe with establishing Patient-Centric Security Programs to bolster operational resilience and care availability against the growing healthcare attack surface. His work stems across Executive Leadership, Biomedical Engineering, and Cybersecurity teams for a holistic assessment and collaborative approach to achieving cyber resilience. He not only looks at the anatomy of cyberattacks on healthcare delivery organizations but also has a passion for protecting patient privacy and the implications of both on clinical risk management.
Antoine d`Haussy
Antoine joined Fortinet in 2019 to lead the OT Security Practice for EMEA. With 27 years of experience in product management, R&D engineering, sales and marketing, Antoine has worked for Industrial clients together with Fortinet, General Electric, ALSTOM, and Telco Carriers. In his Product Management roles for Control vendors, he led the digital solution portfolio including Cyber Security products and Services solutions. Antoine is a certified Global Industrial Cyber Professional (GIAC-GICSP) trained at SANS institute, and holds a MSc of Radiocom, Networking & IT and an MBA from Sda-Bocconi.
Geri Révay
Geri has more than 15 years of experience in cybersecurity. He started on this path as he specialized in network and information security in his M.Sc. in computer engineering. Since then, he has worked as a QA engineer for a security vendor, then changed to penetration testing first as an external consultant and then as an internal consultant at Siemens. He is a hacker at heart and a consultant by trade. He worked on both IT and OT systems. In the past years, he focused on security research in binary analyses and reverse engineering, which led him to Fortinet. At FortiGuard Labs, he currently does malware analysis, threat intelligence, and defense strategy.
Olivier Convard
Olivier is responsible for a robust, forward looking, industry influenced product security and privacy operations strategy that fosters digital trust with customers, patients and other stakeholders. Prior to this role, Olivier led the digital infrastructure lifecycle team dedicated to the discovery, development and marketing of technology for platforms solutions for operational and clinical diagnostics in labs and hospitals. He also led the Digital Development for Roche Diabetes Care driving new products and digitalization of medical devices. Before joining Roche, Olivier worked in the Dental & Orthopaedic, IT & Internet providers industries.
Explore articles from our community
Newsletter for healthcare leaders and experts
Written for experts by experts, we offer the healthcare newsletter of choice when it comes to leading healthcare transformation.
Healthcare Transformers delivers insights on digital health, patient experience, healthcare business, value-based care, and data privacy and security—key topics and emerging trends facing healthcare leaders today. Collaborating with esteemed industry experts and innovators worldwide, we offer content that helps you gain first-hand knowledge, explore challenges, and think through solutions on the most pressing developments and issues. Subscribe to our Healthcare Transformers newsletter today and get critical discussions and invaluable perspectives delivered straight to your inbox.
References
World Health Organization. [Internet; cited 2026 Apr 22]. Available from: https://www.who.int/news-room/questions-and-answers/item/cyber-attacks-on-critical-health-infrastructure.
Aldosari B. Cybersecurity in Healthcare: New Threat to Patient Safety. Cureus. 2025;17(5):e83614.
Breached Company. [Internet; cited 2026 Apr 22]. Available from: https://breached.company/healthcare-under-siege-47-ransomware-victims-in-30-days-as-patient-safety-crisis-deepens/.
Zarour M, et al. Ensuring data integrity of healthcare information in the era of digital health. Healthc Technol Lett. 2021;8(3):66–77.
Fortinet. [Internet; cited 2026 Apr 22]. Available from: https://www.fortinet.com/uk/solutions/industries/healthcare/cybersecurity-issues-in-healthcare.
Armis. [Internet; cited 2026 Apr 22]. Available from: https://www.armis.com/success/cyber-resilience-in-healthcare-a-strategic-approach-to-securing-the-patient-journey-success-en/.
The HIPAA Journal. [Internet; cited 2026 Apr 22]. Available from: https://www.hipaajournal.com/99-of-healthcare-orgs-managing-iomt-devices-with-known-exploited-vulnerabilities/.
Cybersecurity Dive. [Internet; cited 2026 Apr 22]. Available from: https://www.cybersecuritydive.com/news/initial-access-brokers-check-point/807315/.
BBC. [Internet; cited 2026 Apr 22]. Available from: https://www.bbc.co.uk/news/articles/cp3ly4v2kp2o.
Diamatix. [Internet; cited 2026 Apr 22]. Available from: https://diamatix.com/blog-eu-cybersecurity-map-iso27001-nis2-dora-gdpr/.
CYBERDAY. [Internet; cited 2026 Apr 22]. Available from: https://www.cyberday.ai/blog/comparing-eu-cybersecurity-frameworks.
GDPR.EU. [Internet; cited 2026 Apr 22]. Available from: https://gdpr.eu/fines/.
BITSIGHT. [Internet; cited 2026 Apr 22]. Available from: https://www.bitsight.com/blog/7-cybersecurity-frameworks-to-reduce-cyber-risk.
Abbou B, et al. When all computers shut down: the clinical impact of a major cyber-attack on a general hospital. Front. Digit. Health. 2024 Feb 16;6:1321485.
Armis. [Internet; cited 2026 Apr 22]. Available from: https://www.armis.com/platform/armis-centrix-for-vipr-pro-prioritization-and-remediation/.
Armis. [Internet; cited 2026 Apr 22]. Available from: https://www.armis.com/newsroom/press/armis-blocks-99-of-cyber-attacks-and-delivers-351-roi-omdia-finds/.
Digital Matter. [Internet; cited 2026 Apr 22]. Available from: https://www.digitalmatter.com/blog/hospital-asset-tracking.
IBM. [Internet; cited 2026 Apr 22]. Available from: https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/unified-cybersecurity-platform.