Effective Incident Response in Healthcare OT 17.03.2026 Share Share on LinkedIn in Across Australia, both regulators and healthcare organisations increasingly accept a difficult reality: not every cyber incident can be prevented. As healthcare environments become more interconnected, operationally critical, and complex, the emphasis has shifted from pure prevention toward readiness and effective response. This shift is clearly reflected in Australia’s regulatory landscape. Incident response planning now appears consistently across healthcare-relevant frameworks, including the Australian Cyber Security Strategy, guidance from the Australian Signals Directorate, operational technology regulations, and state audit findings covering public sector and health services. These publications repeatedly instruct organisations to develop, implement, and test cyber incident response plans. What remains far less clear is what effective incident response actually looks like in healthcare environments, particularly where operational technology, clinical systems, medical devices, and patient-critical infrastructure are involved. Compliance Does Not Equal Capability Through our involvement in incident response engagements across Australian healthcare, ThreatDefence has repeatedly observed the limitations of a compliance-focused approach to incident response planning. While an Incident Response Plan is intended to provide a structured framework for managing cyber incidents, it is only effective when decision-making is supported by appropriate technical capability. Healthcare incident response is uniquely challenging. Clinical systems, medical devices, building management systems, laboratory automation, imaging platforms, and other OT-style infrastructure operate under strict safety, uptime, and regulatory constraints. Many of these systems cannot be patched rapidly, cannot support security agents, and cannot be taken offline for investigation without direct clinical impact. When a breach occurs, organisations often discover that their existing security tooling—whether SIEM, XDR, NDR, or a combination—provides only a partial view of events. Logs may be available for some systems but not others. Network visibility is frequently incomplete. Identity activity is only partially captured. OT and medical systems generate little usable telemetry, and vendor access paths are often insufficiently monitored. As a result, decision-making during an incident becomes slow, conservative, and uncertain—precisely when clarity and confidence are most needed. Uncertainty Is the Core Incident Response Risk In healthcare OT incidents, uncertainty is often more damaging than the technical breach itself. Within days of an incident, executive leadership, regulators, insurers, and clinical stakeholders inevitably ask the same fundamental questions: What was the initial point of compromise? How long was the attacker present in the environment? Which clinical, operational, or supporting systems were affected? Was data exfiltrated — and if so, what data? How can we be confident the attacker has been fully removed and cannot return? These questions are not theoretical. They directly influence patient safety decisions, service continuity, regulatory notifications, public communication, and recovery strategy. Yet in many incidents, healthcare organisations cannot answer them with confidence. Instead, they are forced to rely on cautious language reflecting the absence of evidence rather than confirmed facts. Australia has already seen high-profile examples where this uncertainty later proved costly. During a well-known breach at a large ASX-listed healthcare company in October 2022, public statements evolved as additional evidence emerged: 14 October 2022: “…We have still found no evidence that customer data has been accessed.” 17 October 2022: “Our ongoing investigation continues to show no evidence that any customer data has been removed from our IT environment.” 20 October 2022: “The criminal also claims to have stolen other information… This has not yet been verified by our investigations.” 25 October 2022: “It has become clear that the criminal has taken data that now includes Medibank customer data.” As is now well understood, the incident ultimately resulted in a significant data breach involving a large volume of patient records. Why Healthcare OT Amplifies Incident Response Risk One of the least appreciated realities in modern healthcare is how easily a single connection can undermine even well-designed security controls. Hospitals operate as tightly coupled ecosystems: workflows span departments, systems rely on shared data, and clinical equipment depends on networks that were never built with isolation in mind. As a result, segmentation in healthcare rarely behaves the way diagrams suggest — boundaries exist on paper, but clinical requirements continually pull them back together. Attempts to isolate systems often fail for a simple reason: care depends on connectivity. Imaging must deliver results to EMR in real time, pathology must feed into prescribing systems, and theatres depend on schedules and patient identifiers coming from outside their own networks. When segmentation disrupts these flows, the pressure to restore connectivity is immediate. Over time, these exceptions accumulate until the network regains the shape it had before — interconnected, permissive and full of trust links no one intended to create. This is also why the healthcare attack surface is so difficult to see. Many of the pathways that reconnect segmented networks are not documented as “security exceptions”; they emerge naturally from clinical operations, vendor configurations or one-off integration decisions made years earlier. Hospitals routinely discover that different systems share authentication stores, service accounts or routing rules that were never mapped centrally. These hidden bridges give attackers lateral movement options long before defenders are even aware the paths exist. Ultimately, the healthcare attack surface is defined not by devices or subnets, but by the relationships that bind them together. Connectivity is what makes modern healthcare efficient — and what makes it exposed. Evidence as the Foundation of Incident Response Effective incident response — particularly in healthcare environments that combine IT, OT, and clinical technology — depends on evidence. Evidence replaces assumption with facts. In this context, evidence consists of correlated, high-fidelity records that allow responders to: identify the initial compromise vector track attacker movement across IT, OT, and clinical systems determine which systems and identities were accessed assess whether data or operational integrity was impacted validate containment and recovery decisions. Without this evidence, organisations are forced into speculative decision-making. Discussions become driven by hope rather than analysis — an untenable position in environments where patient care, regulatory compliance, and public trust are at stake. Based on real incident response experience, effective healthcare OT incident response requires practical, non-negotiable capabilities. These capabilities include: Live DFIR on Endpoints and Servers The ability to collect forensic data, investigate processes, and search for compromise indicators across IT and clinical systems at scale. Network Detection and Response (NDR) Continuous visibility into network traffic, including east-west movement between IT, OT, and clinical systems. Network evidence is particularly valuable because it cannot be bypassed through endpoint evasion. Cloud and SaaS Visibility Audit and API logs from cloud platforms supporting clinical, administrative, and operational workflows must be captured and correlated. Integrated SIEM Capability Centralised correlation across identity, endpoint, network, cloud, and application telemetry — not isolated alert streams. Unified Data Model Evidence from IT, OT, DFIR, and network sources must exist in a single analytical context to support rapid investigation and timeline reconstruction. Attack Surface Awareness Understanding which systems, services, and access paths are exposed at any given time — including vendor and remote access pathways. Dark Web and Access Market Monitoring Visibility into credential exposure, access sales, and adversary targeting provides early warning and valuable investigative context. Threat Intelligence Relevant to Healthcare and OT Intelligence must reflect real attacker techniques used against healthcare and critical services, not generic indicators. Retrospective Investigation Capability The ability to search historical telemetry for newly identified indicators without rebuilding evidence manually. Continuous Monitoring During Response Incident response does not pause the threat. Continuous monitoring is required throughout investigation, containment, and recovery. Together, these capabilities allow healthcare organisations to move from compliance-driven response plans to evidence-driven response execution. From Regulatory Compliance to Operational Confidence Australian healthcare organisations increasingly meet incident response requirements on paper. Plans exist, roles are defined, and governance is documented. This satisfies regulatory expectation, but it does not guarantee operational readiness. When a real incident occurs, the limiting factor is rarely process. It is the ability to establish facts quickly in environments where visibility is constrained and intervention carries risk. In OT-heavy healthcare settings, uncertainty persists because systems were not built to explain their own behaviour under attack. As clinical and operational technologies continue to converge, effective incident response depends less on predefined playbooks and more on the organisation’s ability to observe, understand, and verify what is happening in real time. Author: Anton Guzhevskiy, Head of Product - ThreatDefence