Operational Technology (OT)

DICOM 4 needs to consider how cybersecurity domain is changing

I mentioned operational technology (OT) on a recent DICOM 4 call. Apparently its a new term to some. It is discussed in a lot more detail in NIST SP 800-82r3 Guide to Operational Technology (OT) Security. They define OT as:

OT encompasses a broad range of programmable systems and devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems and devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events.

OT concerns are increasingly recognized as important and different than IT concerns for cybersecurity. The difference is mostly one of emphasis, but this has substantial impact on regulation, processes, and organizations.

In healthcare, like most critical infrastructure, you find both IT and OT. A good example of OT in a hospital is a cardiac catheterization system. IT would be the insurance approval and billing system. An example of the conflicts between IT and OT organizations is the question of when and how to apply security patches. A billing system user might be annoyed when their PC interrupts them with the notice that they have one minute to save their work before the system shuts down and reboots. The IT staff will demand the change and accept the annoyance of the IT useers. A cardiac cath system shutdown like that would be fatal for the patient. This leads to an IT vs OT clash, and usually different approaches to managing vulnerabilities and patching.

The NIST guide goes into 300+ pages of more technical details. These details will change and evolve over the next few decades.

DICOM 4 security design needs to consider that its user and customer concerns will encompass both the IT world and the OT world. The details can come later in our discussions, and we need to be aware that technical specifics will be changing over the ext few decades. For now, it’s just important to recognize that IT and OT will both be involved and that they are not the same organization and do not have the same priorities.