SecurityWeek is reporting that hospitals in the Iran conflict have been targeted with hidden spyware, and the attackers are not just stealing data. They are getting into systems that touch physical operations.
This has been the scenario every OT security practitioner has been predicting for years. The line between cyber and kinetic is gone. It was always fragile. Now it is just obvious.
Hospitals are critical infrastructure. They run on networks of interconnected systems: medical equipment, HVAC, power management, facility controls, infusion pumps, imaging systems. Most of those systems were never designed with adversarial use in mind. They were designed to work. Security was an afterthought, if it was a thought at all.
That is not a criticism of hospital IT teams. It is the reality of how operational technology gets built and deployed. You solve the clinical problem first. The security architecture comes later, layered on top of systems that were never meant to support it.
The 12 to 18 Month Rule
The conflict in the region is demonstrating something important: cyber operations are now woven into warfare from day one. Not as a support function. As a primary weapon. The physical and digital are the same fight.
That matters beyond the conflict zone. Techniques that get validated in active warfare find their way into criminal and espionage operations within 12 to 18 months. That is the historical pattern. Stuxnet showed up in criminal toolkits. NotPetya techniques got repurposed. The tools used against Ukrainian infrastructure showed up in ransomware playbooks. There is no reason to expect this cycle to be different.
Whatever is being used against hospitals in that conflict right now is coming to a broader target set. The only question is when.
The Flat Network Problem
Most hospital networks are flat or lightly segmented. A compromised workstation in the billing department can reach a medical device controller on the same VLAN. An attacker who gets in anywhere can move laterally to the systems that matter most.
This is not unique to hospitals. It is the same problem in manufacturing plants, utilities, water treatment facilities, and building automation systems. The devices that control physical processes sit on networks that were designed for connectivity, not containment.
When spyware gets into a hospital network and starts reaching physical systems, it is not exploiting a sophisticated vulnerability. It is walking through an open hallway.
Assume Breach. Enforce Anyway.
The question is not whether your sector is a target. Every critical infrastructure operator is a target. The question is whether your security posture assumes breach will happen, or whether it is still hoping prevention alone holds the line.
Prevention matters. Patching matters. Access control matters. None of it is enough on its own. The attackers hitting hospitals in active conflict zones are not stopped by perimeter controls. They are in the network, moving laterally, reaching operational systems, before anyone knows they are there.
The answer is enforcement that works from the inside. Inline, at the traffic level, between devices that should not be talking to each other. No agents. No network redesign. Something that controls what can reach what, automatically, without waiting for an analyst to notice something is wrong.
The hospital floor is not a hypothetical anymore. It is a current event. And the techniques being used there will be used elsewhere. The organizations that are ready are the ones that stopped treating the interior of their network as trusted ground.
Francesco Trama is the founder of PacketViper.
Want to see preemptive security in action?
We run demos against real traffic. No slides. No pressure.