.webp)
In a 28-State Hospital System, One Phone Call to the Nurses' Desk Opened Up the Network for Attack
Mike MacMahon, now Director of the Intelligent Building Studio at Newcomb & Boyd, was once a network architect for a healthcare system spanning 28 states' worth of hospitals. He told NexusCon 2025 the moment that changed the way he thinks about OT cybersecurity. Sitting in his CIO's office, he was trying to explain why he couldn't safely onboard a fleet of FDA-certified anesthesiology machines running Windows XP (no antivirus, no hardening) onto the corporate network. The machines were headed for operating rooms. The CIO didn't believe that the devices posed a cybersecurity threat.
MacMahon decided to prove his point then and there. He picked up the phone, dialed the hospital operator, asked for the nursing station at 5 East, and introduced himself as Tom from the help desk. He had a ticket to support them with their broken printer. He just needed the person logged in to step off the machine for a minute so he could log in as them and clear it. The nurse handed over her username and password on speakerphone, in front of the CIO and the deputy director.
MacMahon wasn't trying to imply that the nurse was being negligent; the nurse has too many other important things to think about. It was about the network architecture that existed at her desk. A help-desk voice on the phone was enough for access, and on a flat hospital network, that one set of credentials reached the same network to which the new anesthesiology machines were about to be plugged into.
Our buildings are littered with unprotected OT devices just as this story describes, and operational technology runs the physical world. In a hospital, that means chilled water, life-safety equipment, and whether anyone can be admitted during an event. A cyber failure on the OT side can show up as an unusable operating room.
MacMahon's takeaway came down to ownership. Cybersecurity in buildings is the thing everyone in the industry assumes someone else owns, so nobody owns it.
Register for the next Nexus Labs event.
Sign up for the newsletter to get 5 stories like this per week:
Mike MacMahon, now Director of the Intelligent Building Studio at Newcomb & Boyd, was once a network architect for a healthcare system spanning 28 states' worth of hospitals. He told NexusCon 2025 the moment that changed the way he thinks about OT cybersecurity. Sitting in his CIO's office, he was trying to explain why he couldn't safely onboard a fleet of FDA-certified anesthesiology machines running Windows XP (no antivirus, no hardening) onto the corporate network. The machines were headed for operating rooms. The CIO didn't believe that the devices posed a cybersecurity threat.
MacMahon decided to prove his point then and there. He picked up the phone, dialed the hospital operator, asked for the nursing station at 5 East, and introduced himself as Tom from the help desk. He had a ticket to support them with their broken printer. He just needed the person logged in to step off the machine for a minute so he could log in as them and clear it. The nurse handed over her username and password on speakerphone, in front of the CIO and the deputy director.
MacMahon wasn't trying to imply that the nurse was being negligent; the nurse has too many other important things to think about. It was about the network architecture that existed at her desk. A help-desk voice on the phone was enough for access, and on a flat hospital network, that one set of credentials reached the same network to which the new anesthesiology machines were about to be plugged into.
Our buildings are littered with unprotected OT devices just as this story describes, and operational technology runs the physical world. In a hospital, that means chilled water, life-safety equipment, and whether anyone can be admitted during an event. A cyber failure on the OT side can show up as an unusable operating room.
MacMahon's takeaway came down to ownership. Cybersecurity in buildings is the thing everyone in the industry assumes someone else owns, so nobody owns it.
Register for the next Nexus Labs event.
Sign up for the newsletter to get 5 stories like this per week:
This is a great piece!
I agree.