Rethinking the healthcare attack surface

When most people think about Operational Technology (OT) cybersecurity, they think about oil & gas pipelines, utilities, manufacturing plants, or power grids. However, hospitals & healthcare systems have quickly become a point of focus in the OT cybersecurity community as they do employ a variety of OT in the form of IoMT (Internet of Medical Things) networked devices such as: infusion pumps, imaging systems, patient monitoring equipment, laboratory systems, and traditional industrial control systems (ICS) in the form of smart building management systems (BMS) and even on site power generation control systems. 

These healthcare environments are no longer just traditional IT ecosystems, they are cyber-physical environments where disruption can directly impact patient care, operational continuity, and ultimately patient safety.

The OT cybersecurity expertise gap in healthcare organizations

Our research in the OT cybersecurity space revealed a concerning trend. Many hospitals and healthcare networks lack dedicated OT cybersecurity teams, OT security full time employees (FTE) and even OT expertise in the form of OT security certifications when compared to other critical infrastructure sectors. 

On the other hand, within industries such as energy and manufacturing, we encounter more mature OT security programs that employ full time employees  dedicated to OT cybersecurity with OT security certifications and expertise to secure industrial and operational environments and lead investment in OT security processes and technology.

When reviewing the top 20 U.S. Hospitals by market cap, given what is publicly available on LinkedIn, only one FTE with an OT cybersecurity certification was found. The certifications that were searched for include: GIAC GICSP, GIAC GRID, GIAC GCIP and all ISA/IEC 62443 certifications. When replicating this same search across the top 20 utility providers in the US, 73 FTEs with OT related certifications were identified. As a control group, we looked within financial services, an industry NOT expected to have OT systems worth investing in FTEs to protect. However, the top 20 US financial institutions had 18 FTEs with OT related certifications. 

What these findings reveal

Overall, the findings regarding healthcare investment in OT security FTEs are surprising given how operationally dependent modern healthcare has become on OT. So why aren't hospitals investing in OT security personnel at the rate of peer critical infrastructures? It could just be lack of awareness; however, there are other, more plausible reasons.  

Based on historical trends in cyber incidents within the healthcare space, one could speculate that there is significantly greater likelihood of being victim to an attack that  focuses on extortion or data theft rather than an attack on specific OT systems. The amount of ransomware events incurred in healthcare, that historically do not target OT systems, may divert attention and security investment to the parts of the attack surface most likely to be targeted by ransomware. Additionally, data theft is a relevant threat objective for hospitals given PHI, PCI and PII, and data theft does not traditionally align with attacks targeting OT.  

However, with focused investment to address data theft and with adversaries new capability to string together chains of vulnerabilities of different severity scores using advancements in AI, we could be entering a threat landscape where adversaries pivot their tactics to target exposed and under protected devices and systems like OT. For example, although not a patient records database, predominant IOMT protocols HL7 and DICOM are unencrypted plaintext protocols and unless encrypted it is very simple for adversaries, who are sniffing traffic, to identify protected health information (PHI) in these communication protocols.

Why OT cybersecurity expertise can be effective for healthcare organizations

The convergence of IT, OT, and IoMT is already here, and threat actors are increasingly aware of the operational vulnerabilities that come with it. Additionally, as AI solutions such as agentic or generative applications are adopted and deployed, the attack surface will continue to change as permissions, and new connections will exist to support AI efficiency. From a cybersecurity standpoint, the reality is that many healthcare organizations are still working to establish consistent visibility and governance across their enterprise-connected devices and systems as their attack surface is changing in real time.  As the healthcare sector remains a significant target for cyber-attacks, hospitals would be well advised to begin addressing their operational environments OT as a critical component of their attack surface and invest in securing them first with people, then process and technology. 

What can healthcare organizations do to secure their OT

Including OT in current cybersecurity processes such as red teaming and testing incident response plans that take OT into account alongside building dedicated OT security capabilities including improving OT network visibility, leveraging OT network anomaly detection, micro-segmentation, and secure remote access will become essential steps in strengthening healthcare resilience. 

However, before any of the above processes or investments in technology can be made, these healthcare organizations, like the other critical infrastructure sectors, need to invest in the people with the experience in OT security to lead, implement, manage and audit the investment in OT cybersecurity technology and processes.  In cases where headcount cannot be added, investment in OT security certifications, such as the ones listed in this article, and participation on OT security events focused on practitioner training for existing cybersecurity employees can move the needle in terms of bringing OT expertise to the existing team.  

In an industry where uptime and safety are as mission critical as they are for a power utility, OT cybersecurity FTEs can no longer be viewed as optional for healthcare organizations and must become part of the foundation of modern healthcare cybersecurity strategy. 

‍

[related-resource]

Today’s SOC: A system under pressure

The SOC has been described as the:

• Control center for security systems management  
• Operations center for log analysis and alert response
• Command center for network monitoring and investigation

But the CISO at a manufacturer of industrial power solutions says today’s SOC is far more dynamic:

“The SOC is an active player in a never-ending chess match where the pieces are always moving, the rules are constantly changing, and we’re continuously adjusting our tactical and strategic approaches to keep up.”

This has created a balancing act for cybersecurity professionals:

• Support expanding digital estates to fuel innovation…or risk limiting business growth
• Stop advanced cyberattacks at scale…or risk severe financial and reputational impacts

But balancing these responsibilities is increasingly difficult. Attackers are operating at machine speed and scale using sophisticated, adaptive techniques that overwhelm teams and bypass legacy defenses. At the same time, more than half of cybersecurity teams are understaffed, and 65% have unfilled cybersecurity positions (ISACA).

“The SOC is hitting its breaking point,” admits the VP of IT at a U.S.-based risk management services provider.”

“That’s the hard reality,” affirms a Chief Digital and Technology Officer at a North American financial services organization. “SOC teams are drowning in alerts, wasting time researching the most benign incidents while missing critical threats.”

Traditional tools lack the context and autonomous reasoning needed to determine which ones are truly dangerous, requiring analysts to manually review and respond. But with thousands of alerts hitting SOCs daily, the task exceeds human capacity, with recent industry research revealing that 40% to 42% of security alerts now go uninvestigated.

“Our old governance models of throwing bodies at it, that’s not going to work,” says the Group CIO of a multinational holding company. “Attackers move at machine speed, and our defenses have to operate at the same pace. Using AI for cybersecurity is the only way to do that.”

Why AI is essential

AI is about speed, scale, and context.

SOC teams are still expected to find the proverbial “needle in a haystack”, but the haystack keeps growing. As digital infrastructures expand and threat actors use AI to rapidly scale attacks and exploit vulnerabilities, success isn’t about keeping up but changing the approach.

This is where AI comes in, enabling security teams to operate at machine speed and scale by:

• Analyzing vast amounts of data and correlating signals across domains within seconds
• Detecting possible threats in real time and taking immediate action to mitigate risk
• Prioritizing threats by severity and uncovering contextual details for rapid triage

The power of AI isn’t theoretical; it is transforming how today’s businesses operate.

The Chief Digital and Technology Officer at a financial services firm says within a single month of using Darktrace, the solution tracked billions of network events, autonomously investigated tens of millions of those incidents, and added the equivalent of 1,000 analyst hours of investigation. It also found threats that bypassed traditional tools, autonomously responding to contain or disrupt the threat on over 30,000 emails, including 18,000 the firm’s native email filter missed.

When Darktrace says it “takes action on a threat,” it generally means its platform can move beyond just detecting suspicious activity and automatically respond to contain or disrupt the threat—such as isolating a device, slowing or blocking suspicious network traffic, disabling risky user activity, or triggering security workflows—depending on how the system is configured.

AI isn’t about displacing humans.

AI is a powerful tool for handling large-scale data analysis, pattern detection, and repetitive tasks, but it cannot replace human critical thinking. By removing mindless work that does not require judgment, AI frees analysts to focus on what humans do best: applying reasoning, context, and sound decision-making to complex threats.

“AI is a workforce maximizer,” says the Chief Digital and Technology Officer. “It augments our team by monitoring and detecting threats at a scale beyond human capacity while providing the critical context we need to make faster, more confident decisions.

Rather than replacing people, AI is changing how security professionals work. Analysts can reclaim time previously spent on tedious, manual triage to focus on higher priorities and proactive initiatives like advanced threat hunting, strategic risk management, and security enablement and training.

“Aside from risk mitigation, our biggest ROI is in efficiency,” says the Head of Security at global business services provider. “What used to take 90% of our investigation time is now handled automatically, so we can focus on the final 10%, which requires critical thinking."

For SOC teams under pressure, the impact can be transformative, with security leaders reporting significant real-world outcomes using Darktrace Self-Learning AI^TM, including:

• Phishing emails reduced by 99%
• 1 million+ emails autonomously analyzed each month, with no email-based incidents reported
• Potential threats autonomously neutralized in under four seconds, on average  
• 99% of investigations conducted autonomously, surfacing only the high-priority 1% of threats for analyst review

How AI optimizes the SOC

To protect the modern enterprise, you absolutely need the right tools,” says CTO at leading European fashion brand. “Without them you’re a victim. With them, you’re a defender. AI and the machine speed detect/response it enables makes it the most critical tool.”

Replacing chaos with clarity and control  

It’s important to note that different AI solutions address different needs. Companies should clearly understand their specific use case and select the solution that best aligns with their goals, requirements, and operational needs.  

When it comes to choosing cybersecurity in a machine-speed threat landscape, time is the most valuable resource. Organizations require AI that can move from insight to action by:

• Learning an organization’s unique behavioral patterners
• Correlating signals across domains to detect anomalous activity
• Prioritizing events and autonomously responding at scale to the vast majority
• Quarantining high-impact threats until the SOC can investigate
• Arming analysts with deep, contextual information to accelerate investigations

“Darktrace AI gives us threat detections based on facts, not guesses,” says the Group CIO. “It moves the SOC beyond alert overload to confident, informed decision-making. When Darktrace flags something, we pay attention. False positives are very rare, so we act with speed and confidence without second-guessing.”

Replacing anxiety with confidence and peace of mind

Every missed alert can have real-world consequences.

The strain of maintaining constant vigilance at scale without holistic visibility and automation is taking its toll on security professionals: 66% report increased stress, and nearly half say it’s the reason they’re leaving the field (ISACA).

The CIO at a professional sports organization says that’s not surprising: “If you don’t know what’s going on, anything could be happening. Operating with that level of uncertainty and control is incredibly stressful.”

AI gives SOCs the power to be proactive by unifying telemetry across network, email, identity, and cloud environments to provide a complete picture and a stronger foundation for action. The benefits for analysts, both personally and professionally, are significant:

• Achieve greater work-life balance: “Knowing that Darktrace has our backs 24/7 and will take immediate action to stop threats  means we can now work normal hours and take vacations without worrying,” says the Chief Digital and Technology Officer.
• Feel in control with deeper insights: “It not only stops and quarantines threats but also provides the deep context we need to quickly investigate and respond,” explains the Head of Security.  
• Gain confidence the business is protected 24/7: “We can sleep at night. With Darktrace I’m confident that even with a small team we can protect the business 24/7,” adds the former retail CIO.

The modern SOC: A system of balance

Elevated to a core pillar of business strategy, the modern SOC is now considered:

• The nerve center of cyber risk and proactive defense
• The AI-powered command center for operational resilience
• The strategic hub for contextual decision-making at scale

The SOC has evolved from a reactive center responsible for managing systems into a proactive, frontline defender and strategic business enabler—integral to innovation and growth.

AI is the key to balancing these responsibilities.

“We can only grow as fast as we can secure the business,” says the Head of Security. “AI gives us the speed, scale, and confidence to do both.”

*Metrics are based on the customer’s interview, data and sourced from its monthly Cyber AI Insights reporting.