Introduction
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside several federal partner agencies, released a landmark joint guide on April 30. The document focuses on applying zero-trust principles to operational technology (OT) systems. The American Hospital Association (AHA) highlighted the release as a critical resource for healthcare organizations navigating growing cyber threats.
This guidance arrives at a pivotal moment. Hospitals and health systems face mounting pressure from sophisticated adversaries. Furthermore, many OT environments in healthcare remain under-protected and poorly monitored. The new guide aims to close that gap.
What Is Zero-Trust Security in Healthcare?
Understanding the Zero-Trust Model
Zero-trust is a cybersecurity framework built on one core principle: trust nothing by default. Every user, device, and system must verify its identity before gaining access — even those already inside a network.
Traditional security models assume that threats come from outside. Zero-trust rejects that assumption entirely. Instead, it treats every access request as potentially hostile. This approach significantly reduces the risk of lateral movement by attackers within a network.
Why Healthcare Needs This Framework
Healthcare organizations hold some of the most sensitive data in existence. Beyond patient records, they also operate critical physical infrastructure. Consequently, a breach can have life-threatening consequences — not just financial ones.
Why Operational Technology Needs Protection
OT vs. IT: A Critical Distinction
Most cybersecurity discussions focus on information technology (IT) systems. However, operational technology presents a separate and equally serious challenge. OT refers to hardware and software that monitors or controls physical processes, devices, and infrastructure.
Unlike IT systems, OT systems often run continuously without interruption. Many also rely on legacy software with limited security patching. As a result, they present attractive targets for sophisticated threat actors.
Growing Exposure in Hospital Environments
Healthcare OT environments have expanded significantly in recent years. Moreover, these systems now connect to broader hospital networks, creating new vulnerabilities that adversaries actively exploit.
Key Components of Healthcare OT Environments
What Falls Under OT in a Hospital
According to the AHA, healthcare OT environments include a wide range of critical systems. These cover alarm management tools, door access controls, energy management systems, HVAC infrastructure, life-safety systems, and physical security platforms.
Each of these systems plays a direct role in patient safety and facility operations. Therefore, a disruption in any one of them can cascade into a broader emergency. Hospitals must treat OT security as a patient safety issue — not merely an IT concern.
What the Joint Guide Recommends
Applying Zero-Trust Principles to OT
The joint guide outlines how organizations can adapt zero-trust principles specifically for OT environments. It acknowledges that OT systems differ fundamentally from enterprise IT. Accordingly, the guidance does not prescribe a one-size-fits-all solution.
Instead, it emphasizes visibility, network segmentation, and continuous monitoring. Organizations should start by mapping all OT assets and understanding data flows. Then, they can apply access controls and monitoring in a way that suits the operational constraints of each environment.
Phased Adoption Over Immediate Overhaul
The guide encourages a phased approach. Immediate full implementation is not realistic for most hospitals. Rather, organizations should prioritize high-risk systems first and build maturity over time. This pragmatic strategy makes zero-trust adoption achievable without disrupting care delivery.
The Threat Landscape: Nation-State Actors
Adversaries Are Already Inside Some Networks
FBI Cyber Division Assistant Director Brett Leatherman issued a stark warning alongside the guide’s release. He stated that nation-state actors are actively positioning themselves on OT networks. Their goal is to gain control over critical physical processes.
These actors move quietly and patiently. Additionally, they exploit the limited visibility that most OT environments offer. By the time an intrusion is detected, the adversary may have established deep persistence within the system.
Why OT Is an Attractive Target
OT systems control real-world outcomes — power, temperature, access, and alarms. Taking control of these systems gives adversaries significant leverage. Furthermore, disrupting a hospital’s physical infrastructure during a crisis could have devastating consequences for patient care.
Layered Defenses as the New Standard
No Single Control Is Enough
Leatherman emphasized a key principle in his statement: resilience in OT cannot come from a single control. Instead, it requires layered defenses that raise the cost for adversaries at every stage of an attack.
This means combining network segmentation, authentication controls, anomaly detection, and incident response planning. Each layer addresses a different phase of the attack lifecycle. Together, they create a defense-in-depth posture that is far more difficult to penetrate.
Building Resilience Before an Incident
Hospitals should not wait for a breach to build their OT security posture. Proactive investment in visibility tools and monitoring platforms pays dividends before, during, and after a cyber incident. Moreover, regular tabletop exercises and OT-specific incident response plans prepare teams to act decisively when threats emerge.
What Hospitals Should Do Next
Start With an OT Asset Inventory
The first step for any hospital is knowing what OT assets exist across their environment. Many organizations lack a complete and current inventory. Without this foundation, applying zero-trust principles becomes extremely difficult.
Engage Vendors and Clinical Engineering
OT security in hospitals is not solely an IT responsibility. Clinical engineering, facilities management, and security teams must collaborate. Additionally, hospital leadership should engage with OT vendors to understand patching cycles and default security configurations.
Use the CISA Guide as a Roadmap
The joint guide from CISA and its partner agencies serves as a practical starting point. Healthcare leaders should review the document and align it with their existing security frameworks. Furthermore, the AHA encourages hospitals to connect with national resources and peer networks to share threat intelligence.
Conclusion
The release of this joint zero-trust guide marks a significant step forward for healthcare cybersecurity. Federal agencies recognize that OT environments in hospitals represent a critical and often overlooked attack surface. As nation-state actors grow bolder, the healthcare sector must respond with equal urgency and sophistication.
Adopting zero-trust principles for OT is not optional — it is a strategic imperative. Hospitals that act now will be far better positioned to detect threats early, limit damage, and protect the patients who depend on them.
