This article argues that medical theatres and hospital systems should be treated as Operational Technology (OT) environments rather than traditional IT. It highlights how flat networks, embedded legacy systems, and an overwhelming focus on availability over security create critical vulnerabilities. The piece calls for a shift in governance, risk modelling, and procurement practices to align with the cyber-physical realities of modern healthcare infrastructure.
Contents
Introduction
The dominant approach to cybersecurity in healthcare, particularly within NHS trusts, remains squarely focused on traditional IT risk postures, laptops, desktop estates, firewalls, and perimeter defence. Yet within the bowels of the hospital, where care becomes acute and seconds matter, lies an entirely different world. Medical theatres, surgical units, intensive care systems, and even radiology suites operate less like an enterprise IT environment and more like a factory floor. These are not office networks. They are Operational Technology (OT) environments masquerading as IT.
And this mischaracterisation is creating critical blind spots in healthcare cybersecurity.
Healthcare as an Operational Technology (OT) Environment
1. IT vs OT: A Category Error in Healthcare Cyber
Operational Technology refers to computing systems that interface directly with the physical world, systems that monitor, control, or interact with physical processes. In manufacturing, think of programmable logic controllers (PLCs). In energy, think of SCADA systems. And in hospitals? Think of infusion pumps, anaesthesia machines, mobile imaging units, telemetry monitors, and integrated theatre control systems.
Unlike IT systems, where the primary security goal is data confidentiality, OT systems prioritise availability and safety. You cannot patch a critical device mid-surgery. Downtime is not just costly, it’s life-threatening.
Treating theatres as IT overlooks this paradigm. Instead of asset lifecycle management tied to uptime-critical infrastructure, hospitals apply patch schedules and endpoint controls designed for email servers. The result? Fragile, flat networks kept alive by duct tape, domain controllers, and blind trust.
2. The Flat Network Problem: A Perfect Storm for Lateral Movement
Hospital theatres and medical device ecosystems are often built on flat, minimally segmented networks. This is not an oversight, it’s a feature by design. Flat networks are easier to deploy, troubleshoot, and maintain. When your core KPI is keeping machines operable 24/7, adding segmentation becomes a barrier rather than a solution.
But this convenience comes at a cost. Flat networks enable lateral movement, where a compromise on one device (e.g., a vulnerable Windows XP-based radiology workstation) can rapidly escalate to entire estates. In an OT environment, that can mean everything from false telemetry to disrupted surgery schedules.
Some NHS estates still run devices that were never designed with security in mind: serial-connected infusion pumps, embedded Linux boards with no update mechanism, and legacy systems with hardcoded credentials.
3. Availability at All Costs: Safety as a Threat Vector
There is a deeply ingrained ethos in healthcare that nothing must interrupt patient care. From a clinical standpoint, that’s laudable. From a cyber risk standpoint, it’s disastrous.
Security teams are often discouraged, explicitly or implicitly, from applying controls that might interrupt service. Routine vulnerability scans are forbidden on medical devices for fear they will crash embedded systems. This creates a tension between the Hippocratic imperative (“do no harm”) and the digital imperative (“detect and prevent compromise”).
It is a cultural clash that OT sectors like power and transport have already wrestled with. Healthcare is next in line.
4. Cyber is Not Just an IT Function… It’s a Clinical Risk Function
Theatres are cyber-physical environments. A corrupted PACS image sent to a radiologist is not just a file integrity issue; it is a misdiagnosis waiting to happen. A compromised anaesthesia machine is not just a hardware incident; it is a potential manslaughter charge.
Yet the governance of these risks remains siloed. Cyber risk reports in the NHS often sit with CIOs, not Chief Medical Officers. Medical device procurement is driven by clinical effectiveness, not cyber compatibility. And risk assessments fail to map cyber controls to patient safety outcomes.
We need a rethink. Cyber must be embedded as a clinical safety concern, not an IT hygiene checklist.
5. Towards a Cyber-OT Strategy for Healthcare
To remedy this, a practical roadmap is needed, one that recognises the unique cyber-physical context of healthcare:
- Asset Visibility: You can’t defend what you can’t see. NHS Trusts need full inventories of connected medical devices and their network behaviours.
- Segmentation by Default: Theatres should not share broadcast domains with outpatient records or hospital Wi-Fi. Microsegmentation can limit blast radius.
- Dedicated OT Security Function: NHS Trusts should establish OT-specific security teams or upskill clinical engineering departments to manage digital risks.
- Threat Modelling from a Safety Lens: Move beyond CIA (Confidentiality, Integrity, Availability) and think SAFETY. What could go wrong, and how could a patient die because of it?
- Procurement as a Control Point: Devices must meet minimum security standards at the point of purchase. Anything less is a latent risk waiting to activate.
Conclusion: Stop Pretending Theatres Are Offices
Until we reframe our approach, the NHS will continue to build digital hospitals with physical vulnerabilities. Cybersecurity is not just about patching servers in the back office, it’s about preserving trust in the systems that keep people alive.
Medical theatres are not IT environments. They are critical OT zones. It’s time we stopped pretending otherwise.