Security

How to Protect Healthcare’s Critical Infrastructure and Maintain Continuity of Care

Increased artificial and natural threats to critical infrastructure in clinical care environments make the protection of systems a top priority for healthcare organizations.

Matt Sickles

Matt Sickles is an executive healthcare strategist at CDW Healthcare with over 30 years of experience in leading-edge information security- and technology-related fields.

Human-directed and naturally occurring events are becoming more frequent and intense, and can threaten a health system’s ability to maintain continuity of care. These sequences can increase the likelihood of a substantial disruption to a healthcare organization’s operational technology and critical infrastructure.

The automatic and programmatic delivery of modern OT and critical infrastructure presents another concern. Systems such as power, water and water reclamation are highly automated but, in many cases, are vulnerable to security risks. Several factors contribute to this lack of robust security, including a lack of governance over third parties that manage and operate crucial systems, along with outdated legacy equipment that organizations are often unable to update in the challenging economic environment for healthcare.

While the situation may seem bleak, the healthcare industry can protect its OT if organizations take the necessary steps to secure critical infrastructure that will promote continuity of care.

DISCOVER: How can organizations protect critical infrastructure in an evolving threat landscape?

The Current State of Healthcare OT and Critical Infrastructure

Technology is often the last thing organizations focus on when thinking about OT and critical infrastructure planning, but that is incredibly short-sighted. In an efficient clinical environment, proper functioning OT and critical infrastructure work together.

When a patient arrives at the emergency department through the ambulance bay, it must be well lit. The automatic doors must open. Once the patient is inside the hospital, the elevators must have power to transport them to the proper floor. From the time a patient enters a facility to their initial triage and treatment, critical infrastructure must be ready to provide a continuum of care.

Modern health system campuses rely on critical resources such as power, backup generators and water to support clinicians in their efforts to provide care. For example, when Hurricane Helene caused devastating floods in western North Carolina in September 2024, it was a stark reminder that when a hospital loses water and power, it is no longer viable. It it can no longer sanitize tools, wash linens or distribute critical services through a centralized system. A power outage and lack of sufficient battery backups could also disrupt the delivery of medications through automated medical devices.

Click the banner below to learn why cyber resilience is essential to healthcare success.

x-cyberresillience4-static-2024-na-desktop

x-cyberresillience4-static-2024-na-mobile

If organizations lack the necessary skills and resources, maintenance and management of the tools and technologies, along with training and uplift to support their OT and critical infrastructures, they risk increased and protracted downtime.

Internet connectivity is another vital component of critical infrastructure. Systems such as electronic medical records rely on consistent connectivity; for resiliency, networks should be augmented with redundant fiber or satellite communication. Adding a resilient mode of communication gives providers options, which is vital when challenges arise during an emergency.

Budget constraints are another challenge facing healthcare OT and critical infrastructure. Due to the rising cost of care, cuts to federal funding and other financial pressures, many healthcare organizations are forced to limit their investments. As a result, aging technologies become more vulnerable to cyberthreats.

How Health Systems Can Better Protect OT and Critical Infrastructure

The first step to protecting OT and critical infrastructure is understanding how an organization’s clinical care model relies on these systems. If they are manually operated, what resiliency model is in place? Are there staff members who can maintain these systems during a natural disaster or other major event within the hospital or community? In the event of a natural disaster, cyberattack or other major disruption, can the organization maintain the continuity of care and continue to operate?

The last thing a hospital wants — especially a trauma center — is to be unable to provide patient care. Diversion to another facility or system can significantly impact patient outcomes. That’s why it’s important for organizations to understand how these critical system flows support and enhance existing and planned business continuity and disaster recovery efforts.

Working with an experienced technology partner can help healthcare organizations gain the experience needed to better protect their OT and critical infrastructure systems. A partner like CDW can help determine their systems’ inputs and outputs with an understanding of how individual systems rely on each other. CDW can also identify what type of alerting and monitoring is available, if any. Our experts — with extensive clinical experience — can recommend needed improvements to systems for an enhanced model of care.

If there is a gap in alerting and monitoring, CDW can develop an incident recovery program — focused on the resiliency of critical care systems — and even deploy capabilities to orchestrate and enhance automation. This ensures multiple levels of resiliency that don’t rely entirely on human interaction.

CDW experts will ensure there are consistent resiliency models in place across the entire healthcare system, not just within a single building or campus. Developing backup plans for each stage of the care journey is crucial to ensuring continuity of care amid an evolving threat landscape — a necessary continuum resulting in enhanced patient outcomes.

This article is part of HealthTech’s MonITor blog series.