OT/IT Convergence in Private Healthcare: From Cyber Exposure to Operational Confidence

Australian private healthcare is operating in a risk landscape that is shifting faster than its technology foundations. Clinical demand is rising, asset portfolios are expanding, and digital dependence is increasing across both clinical and operational workflows. At the same time, the attack surface has widened dramatically, spanning connected medical devices, building automation systems, vendor remote access, cloud platforms and multi-site networks.

The scale of exposure is now undeniable. In FY 2024-25, the Australian Cyber Security Centre (ACSC) responded to over 1,200 cyber-security incidents, an 11% increase from the prior year¹, and recorded more than 84,700 cybercrime reports, averaging one every six minutes². The Office of the Australian Information Commissioner (OAIC) logged 1,113 data-breach notifications in 2024, the highest on record and a 25% increase on 2023³.

For the Executive teams, this is no longer a problem contained within ICT. It is a continuity-of-care, operational-risk and governance challenge, and the structural fault line often runs between Operational Technology (OT) and Information Technology (IT).

The burning platform: why OT/IT separation is no longer viable

Boards increasingly recognise the importance of cyber-security, but few have fully absorbed the reality that building systems, plant, medical devices and vendor gateways are part of the same risk surface as enterprise ICT.

Recent ACSC reporting highlights that criminal and state-sponsored groups are actively targeting organisations that operate critical infrastructure and sensitive datasets, including healthcare⁴. In parallel:

• Digital health programs (EMR modernisation, real-time operations, virtual care, RTLS, building automation) assume a degree of upstream systems coherence that rarely exists across a multi-site portfolio.

• ESG, sustainability and resilience commitments depend on clean, reliable plant and environmental data.

• Mixed-age facilities, legacy acquisitions and diverse vendor ecosystems create unpredictable integration, cyber and operational risk.

The practical impact for executives is a set of persistent, systemic pain points:

• Unplanned outages or system degradation in theatres or critical areas linked back to building services or vendor-controlled plant.

• Conflicting operational metrics (bed occupancy, patient flow, theatre throughput) depending on which system is queried.

• Cyber-uplift projects uncovering unsegmented OT networks, unsupported PLCs, unmanaged vendor access and medical or building devices outside patch governance.

• Capital allocation decisions made with incomplete, inconsistent or unverified data, especially across multi-site portfolios.

This reflects the same structural gap explored in Bringing Buildings to Life: Where OT Meets IT, but amplified in healthcare, where patient safety, accreditation and reputational risk converge.

From dashboards to decisions: restoring confidence in your data

Nearly every healthcare organisation has dashboards. Very few have data they can confidently make decisions with.

Executives increasingly raise the same question:

In many cases, uncertainty is justified, because the data supply chain is fractured long before analytics and reporting layers get involved.

Common points of failure include:

• Bed and patient-flow data relying on unaligned timestamps across nurse-call, tracking and EMR systems.

• Theatre utilisation metrics dependent on disconnected scheduling, sterilisation, building and equipment data.

• Asset, maintenance and lifecycle planning relying on BMS or plant telemetry that is either ungoverned, inconsistent or unavailable.

• Environmental monitoring and infection-control indicators that depend on interfaces between clinical, ICT and plant systems that were never designed to interoperate.

National work on interoperability reinforces this challenge. The Australian Digital Health Agency’s National Healthcare Interoperability Plan 2023–2028 reports significant progress, with 18 of 44 national actions completed and many others ahead of schedule⁵, yet the greatest barriers remain data consistency, standards and cross-system governance. Similar challenges are reflected in ongoing research on Australian health datasets and interoperability maturity⁶.

This is why the shift from dashboards to decisions matters. Confidence comes not from more visualisation, but from a coherent, governed data pipeline extending from devices → systems → integration → data models → governance → decisions.

Until that pipeline is reliable, dashboards remain fragile abstractions.

What OT/IT convergence means for private healthcare

OT/IT convergence is not about team restructuring or merging technologies for aesthetic reasons. In healthcare, it represents an operating-model realignment that establishes:

• Unified governance for OT, IT and clinical technologies

• Shared cyber-security frameworks covering plant, building systems, medical devices and remote access

• Common data standards for timestamps, events, naming conventions and identifiers

• Coordinated vendor and third-party management, reducing hidden risk and configuration drift

• Portfolio-wide visibility across risk, capability, lifecycle status and integration debt

In short, convergence enables technologies to operate as a coherent ecosystem, rather than an inherited patchwork.

This is not about wholesale replacement of systems. It is about the disciplined alignment required to deliver safe, predictable, resilient operations, especially in mixed-age, multi-site estates.

What recent national signals tell us about the risk environment

Several current indicators point to an escalation in systemic risk:

• The ACSC’s Annual Cyber Threat Report 2024–25 confirms rising cyber activity, with a continued increase in healthcare-related incident reports and exploitation of vulnerabilities in connected devices and industrial systems¹².

• OAIC reporting shows a record volume of notifiable breaches, with healthcare consistently among the most impacted sectors³.

• Recent sector analysis indicates that cyber-attacks on health organisations — including hospitals, specialists and general practices — continue to rise, frequently originating through third-party access, legacy platforms and connected operational systems⁷.

Although public reporting often focuses on data theft, the same conditions that enable breaches, such as uncontrolled remote access, unsegmented networks, unpatched systems, device sprawl, also create operational fragility across plant and clinical environments.

Why a consolidated and unified technology blueprint matters

In this environment, a technology blueprint becomes a critical governance tool.It sets out the rules of engagement for technology across the entire organisation, not as a roadmap of aspirations, but as the operational logic for how the healthcare business runs.

A credible blueprint for private healthcare:

1. Defines the enterprise architecture for OT, IT and clinical technologies, enabling interoperability and resilience across the portfolio.

2. Integrates cyber-security by design, treating plant, medical devices and building systems as core components of the organisation’s security posture not exceptions.

3. Establishes data standards that eliminate drift and create a trustworthy foundation for operational and clinical decision-making.

4. Provides portfolio-level visibility of risk, maturity, asset condition and integration complexity, enabling evidence-based prioritisation.

5. Connects technology to operational outcomes, ensuring investments improve flow, safety, resilience, sustainability and workforce efficiency.

This is not about building “smart hospitals” in the marketing sense. It is about building the conditions for dependable operations in a complex healthcare environment.

Where the healthcare sector goes next

The national direction is clear: more interoperability, more integrated operations, more reliance on real-time data and connected systems.

For private healthcare organisations, the challenge is not whether to converge OT and IT but whether the operating model, governance and portfolio strategy can keep pace with the sector’s accelerating digital and operational complexity.

OT/IT convergence is best understood not as technology modernisation, but as risk stabilisation.

Because ultimately, the question for executives is not whether systems are innovative but whether the organisation can protect its people, trust its data and operate with confidence.

References

1. Australian Cyber Security Centre. Annual Cyber Threat Report 2024–25. Cyber.gov.au.

2. Australian Signals Directorate. Cybercrime in Australia: 2024–25 statistics. Cyber.gov.au.

3. Office of the Australian Information Commissioner. Record year for notifiable data breaches. OAIC.gov.au, 2024.

4. Australian Signals Directorate. Threat Update on Targeting of Critical Infrastructure Sectors. ASD.gov.au, 2024–25.

5. Australian Digital Health Agency. National Healthcare Interoperability Plan 2023–2028: Progress Update 2024. digitalhealth.gov.au.

6. CSIRO Australian e-Health Research Centre. Australian Health Data Interoperability Research Reports (2024–2025).

7. CyberCX. Cyber Attacks Against Australian Health Organisations: Sector Threat Assessment 2024–25.