OT Security in Indian Healthcare: Connected Devices, ABDM, and Patient Safety
Country Manager, Sweden
AI, DevOps, Security, and Cloud Solutioning. 12+ years leading enterprise cloud transformation across Scandinavia
The AIIMS Delhi ransomware attack of November 2022 was the most visible demonstration that Indian healthcare is a high-value cyber target - and it exposed how inadequately protected healthcare OT environments are. The attack encrypted hospital servers and disrupted outpatient services, diagnostic systems, and administrative operations for nearly two weeks, affecting an estimated 5,000 patients daily. But AIIMS is a large, relatively well-resourced institution. The vast majority of Indian hospitals - from district-level public facilities to tier-2 private hospitals - operate connected medical devices, building management systems, and laboratory equipment with security controls that fall well short of what patient safety demands. (CERT-In, 2022)
India's Ayushman Bharat Digital Mission (ABDM) is creating a national digital health infrastructure that connects electronic health records, diagnostic devices, pharmacy systems, and telemedicine platforms. This connectivity is transformative for healthcare access, but it also creates pathways between clinical OT (medical devices, imaging systems, laboratory automation) and enterprise IT networks. Where those pathways lack proper security architecture, they are exploitable by the same actors who have targeted healthcare systems in the US, UK, and Germany. (ABDM, 2025)
OT threat landscape India 2026Key Takeaways
- The 2022 AIIMS Delhi attack affected 5,000 patients daily for two weeks, demonstrating healthcare OT security consequences.
- Healthcare OT includes medical devices, imaging systems, laboratory automation, and building management - not just patient data.
- ABDM connectivity creates pathways between clinical OT and enterprise networks that need security architecture.
- Medical device security in India is regulated under CDSCO but cybersecurity requirements are not yet mature.
- DPDPA 2023 creates specific obligations for health data that intersect with OT systems processing patient information.
What Constitutes Healthcare OT in Indian Hospitals?
Healthcare OT in Indian hospitals spans four domains. Clinical medical devices - infusion pumps, ventilators, patient monitors, dialysis machines, anaesthesia systems - are networked and communicate with electronic health record systems. Diagnostic imaging - MRI, CT, PET, and X-ray systems - use embedded computing with network connections for PACS (Picture Archiving and Communication System) integration. Laboratory automation systems control sample processing, analysis, and result reporting. Building systems - HVAC, access control, fire suppression, and medical gas management - use BMS/BAS controllers that are OT in every meaningful sense. All of these systems share the characteristics that define OT security challenges: long device lifecycles, operating systems that cannot be patched on standard IT timelines, and failure consequences that are measured in patient harm rather than data loss. (CDSCO, 2025)
Indian hospital estates commonly include devices that are ten to twenty years old, running Windows XP Embedded or proprietary operating systems, still in clinical use because the cost and complexity of replacement is prohibitive in budget-constrained healthcare environments. These devices are connected to hospital networks because PACS integration and EMR connectivity are now clinical requirements, not optional features. The combination of old devices and new connectivity creates the same security gap that characterises legacy OT environments in energy and manufacturing - with the added dimension that the assets being protected are not industrial equipment but the systems that keep patients alive.
[CHART: Healthcare OT security domains - clinical devices, imaging, lab automation, building systems - Source: Opsio]How Is ABDM Changing the Healthcare Cyber Risk Landscape?
ABDM's Health Information Exchange (HIE) framework enables patients to share health records across institutions, diagnostic labs, and pharmacies. For this to work, hospital information systems, laboratory management systems, and diagnostic equipment must connect to the ABDM health data network. These connections create pathways between clinical OT and external networks that did not previously exist. The security of these pathways - authentication, encryption, access controls, and monitoring - determines whether ABDM connectivity enhances healthcare while protecting patients, or creates exploitable attack surfaces. (ABDM, 2025)
ABDM's architecture includes security specifications: API authentication, data encryption, and audit logging requirements for health information exchanges. But the security of the hospital systems connecting to ABDM - the EMR software, the PACS systems, the laboratory information systems - is the responsibility of individual healthcare organisations, and that security is highly variable. A poorly secured hospital EMR connecting to ABDM creates risk not only for that hospital's patients but potentially for the broader health data network.
Telemedicine and Remote Monitoring OT Security
Telemedicine's rapid growth post-pandemic has created new healthcare OT security challenges. Remote patient monitoring devices - glucose monitors, cardiac event monitors, pulse oximeters with data connectivity - collect physiological data and transmit it to clinical platforms. These devices are clinical OT: they support clinical decision-making based on their data integrity. A compromised remote monitoring device that transmits false readings could lead to inappropriate clinical decisions. The security requirements for connected monitoring devices are emerging in Indian clinical guidelines but are not yet systematically enforced. (MoHFW, 2025)
Need expert help with ot security in indian healthcare?
Our cloud architects can help you with ot security in indian healthcare — from strategy to implementation. Book a free 30-minute advisory call with no obligation.
What Does DPDPA Mean for Healthcare OT?
The Digital Personal Data Protection Act 2023 creates specific obligations for organisations processing health data, which is classified as sensitive personal data requiring heightened protection. Indian hospitals and diagnostic centres that collect, store, or transmit patient health data - which includes data from networked medical devices, diagnostic imaging, and laboratory systems - have DPDPA obligations for data protection, breach notification, and data principal rights. OT systems that process patient health data must be designed and operated to meet these obligations alongside their clinical and safety requirements. ([DPDPA](https://meity.gov.in/dpdpa), 2023)
DPDPA's breach notification requirement - notification to CERT-In and data principals within the timeframe to be specified in rules - applies to healthcare data breaches regardless of whether the breached system is classified as IT or OT. A ransomware attack that compromises a hospital's medical device network and accesses patient monitoring data triggers DPDPA notification obligations. Healthcare organisations should ensure that their OT incident response plans include DPDPA notification procedures alongside CERT-In reporting.
OT incident response playbook for IndiaHow Should Indian Hospitals Approach Medical Device Security?
Medical device security in Indian hospitals requires a systematic programme that addresses both new devices and the large installed base of legacy devices. For new device procurement, security requirements should be part of the evaluation criteria: ask vendors about operating system support, patch policy, authentication mechanisms, and network communication requirements. Many medical device vendors now provide cybersecurity documentation as part of their product information, but Indian procurement teams rarely ask for or evaluate it.
For legacy devices, the approach mirrors compensating controls used in industrial OT: network segmentation to limit which systems can communicate with legacy medical devices, application whitelisting on clinical workstations connected to medical devices, monitoring of medical device network traffic for anomalies, and physical access controls for device connection ports. Most Indian hospitals lack dedicated IT resources for medical device security; a pragmatic starting point is including medical device network segments in existing security monitoring and enforcing strict access controls for device connections.
Building Management Systems in Indian Healthcare
Hospital building management systems (BMS) control HVAC systems critical for infection control, medical gas delivery systems, clean room pressure management, and physical access control. These are OT systems with direct patient safety implications: a compromised BMS that disables negative pressure isolation in an isolation ward, or disrupts medical oxygen supply, creates immediate clinical emergencies. Indian hospital BMS systems are often installed and maintained by facilities management teams with no cybersecurity oversight, creating security gaps that are invisible to the hospital's IT security function.
Frequently Asked Questions
What happened in the AIIMS Delhi cyber attack of 2022?
In November 2022, AIIMS Delhi suffered a ransomware attack that encrypted servers and disrupted hospital operations for approximately two weeks. Patient registration, appointments, billing, and diagnostic reporting were affected. The hospital reverted to manual processes. An estimated 5,000 patients were affected daily. The attack originated through the hospital's IT network and demonstrated the inadequacy of IT/OT boundary security in one of India's premier healthcare institutions. CERT-In investigated the incident, and NIC (National Informatics Centre) supported recovery. The full attack vector details have not been publicly disclosed. (CERT-In, 2022)
Are medical devices regulated for cybersecurity in India?
Medical device cybersecurity regulation in India is developing but not yet mature. CDSCO (Central Drugs Standard Control Organisation) regulates medical devices under the Medical Devices Rules 2017, which includes general software requirements but limited specific cybersecurity provisions. A draft Medical Device Cybersecurity Guidelines document has been circulated for stakeholder comment. In practice, Indian healthcare organisations cannot rely on regulatory requirements to ensure medical device security and must specify and verify cybersecurity capabilities as part of procurement. (CDSCO, 2025)
How does DPDPA affect healthcare OT systems?
DPDPA 2023 classifies health data as requiring heightened protection. OT systems that collect, process, or transmit patient health data - including connected medical devices, PACS systems, and laboratory automation - must comply with DPDPA data protection obligations. This includes implementing appropriate technical security measures, breach notification to CERT-In when health data is compromised, and responding to data principal requests regarding their health information. Healthcare organisations should review their OT data flows to identify where patient data is collected and apply DPDPA-compliant controls. (DPDPA, 2023)
What is the most immediate OT security risk for Indian hospitals?
Ransomware crossing from hospital IT into connected medical device networks is the most immediate and impactful OT security risk for Indian hospitals. The 2022 AIIMS attack demonstrated this path. The underlying vulnerability is inadequate network segmentation between clinical device networks and corporate IT systems. Implementing network segmentation that isolates medical device networks from general hospital IT - while maintaining the clinical data flows needed for EMR integration - is the single most impactful security control for most Indian hospitals. (CERT-In, 2022)
Do private Indian hospital chains have better OT security than government hospitals?
Evidence suggests that larger private hospital chains - Apollo, Fortis, Max Healthcare, Manipal Hospitals - have somewhat more mature IT and OT security programmes than most government hospitals, driven by their larger budgets and international accreditation requirements (JCI and NABH accreditation both touch on information security). However, even among large private chains, dedicated OT security for medical devices and building management systems is rare. Mid-sized and smaller private hospitals have security postures comparable to or below public sector peers. (NASSCOM, 2025)
Protecting Patient Safety Through Healthcare OT Security
Healthcare OT security is ultimately about patient safety. The medical devices, imaging systems, laboratory automation, and building management systems in Indian hospitals are not abstract IT assets - they are the physical infrastructure that diagnoses illness and keeps patients alive. Protecting them from cyber attack is a clinical responsibility, not just a compliance exercise.
India's healthcare sector is at a critical juncture: ABDM connectivity is expanding the digital health ecosystem rapidly, while cybersecurity maturity in most healthcare organisations has not kept pace. The organisations that invest in healthcare OT security now - building the device inventories, network segmentation, and monitoring capabilities that patient safety demands - will be better positioned to participate in the digital health future ABDM is building without creating the security liabilities that come with inadequately secured connectivity.
To discuss OT security for healthcare environments, visit our ot security services.
For hands-on delivery in India, see pharma AI visual inspection for Indian manufacturers.
About the Author
Country Manager, Sweden at Opsio
AI, DevOps, Security, and Cloud Solutioning. 12+ years leading enterprise cloud transformation across Scandinavia
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.