The Convergence of Physical and Cyber Security in Healthcare: How to Minimize Threats
Leaving an access control badge or an unlocked computer on an unattended desk both pose significant threats to a healthcare facility’s security and overall health.
As the use of social media grows and technologies like cloud computing, machine learning and artificial intelligence continue to advance, the demarcation point between physical security and cybersecurity is blurring. In healthcare settings, physical security is critically important to keeping staff, patients and visitors safe.
Securing and monitoring a facility limits and restricts entry to sensitive areas, reduces loss of goods and equipment, provides life safety event alerts and helps create healthier indoor environments. Each aspect is critical to providing building occupants with the confidence that their security, safety and health are top of mind.
Today, we have programs in place to respond to fire, forced and unforced intrusions, active shooters and other threats. These events are physical in nature – in other words, they can typically be touched, seen or heard. Most of them are captured on video and trigger events which get stored in physical access control systems. But this begs the question: how are we handling the threats we can’t touch, see or hear in our security operations centers, and which also impact the health of our organizations?
In 2020, 92 individual ransomware attacks targeted over 600 separate clinics, hospitals and organizations, as well as more than 18 million patient records with the cost of these attacks estimated to be almost $21 billion (Comparitech 2021). Cyberattacks are extremely sophisticated and often multi-pronged in nature. These coordinated attacks from unauthorized and/or unknowing individuals bore small openings into critical systems that grow into massive – not to mention costly – problems.
Healthcare Employees Hold the Power, Responsibility
Physical and cyberthreats rely heavily on the people in facilities who play a major role in mitigating these threats. We have all seen the courteous employee hold the access-controlled door open for an unchallenged person to tailgate. In doing so, they have potentially and unknowingly provided access to a possible threat. Similarly, we have all received a phishing email that looked convincingly authentic. If we unknowingly opened and acted on these messages, we could be inviting another unchallenged and unwanted threat into our facility. This isn’t that different from leaving an access control badge or an unlocked computer on an unattended desk. Both pose significant threats and create vulnerabilities to the building’s security and overall health. If someone can gain physical access, it is quite possible they can gain or attempt to gain network access.
In healthcare facilities – especially large ones – another example of a security vulnerability revolves around credentials. Hospitals deploy robust security systems and develop comprehensive security plans, yet many continue to use legacy credential technology that is easy to clone or easily hacked. On the cyber side of security, this is analogous to not using a password complexity policy. Leaving a door unlocked or a device password as the default is essentially the same. Both provide a near-effortless entry to your facility and provide access to occupants and data which could lead to risk of significant harm, data loss and financial impacts. These are only a few simple and avoidable examples of where the lines of physical and cyber security begin to blur and converge.
More than 90% of all healthcare organizations reported at least one cybersecurity breach over the last three years in the United States (US Healthcare Cybersecurity Market, 2020 – Frost Radar Report). This issue has quickly become front and center for all industries, but healthcare has been targeted disproportionately. Many of these breaches occurred due to employees exposing vulnerabilities through credential harvesting and phishing email attacks which provide access to systems by unknowingly sharing credential information with the attackers. Additional threats of data loss through malware and ransomware also occur, with devices like USB flash drives being installed and loaded onto unoccupied or unlocked computers. Vulnerabilities in the wireless networks of mobile devices can also be exploited.
The good news is that all of this is highly avoidable through proper network provisioning and employee cyber threat awareness training. Both physical and logical access to areas and systems where access to patient health information (PHI) is located is essential to prevent unauthorized access. Multi-factor authentication is critical in today’s deployments. Users should be required to use both credentials they have and credentials they know, to confirm their identity before gaining access to networks and systems. Using a physical access control badge at a workstation is the first line of defense, and then a pin code provided via a confirmed mobile device completes the identification and verification process. Implementing this simple measure will ensure only those that should get access to the system are able to do so.
Include All Departments in Physical and Cyber Security Planning
Seeing and understanding the convergence of physical and cyber security is one thing – truly addressing it at the organizational level is another. First, look at how your organization’s teams are set up and how they work together. Many organizations, even today, still have siloed facilities, security and IT teams. In this environment, all three teams have a small level of input and control over the physical security system. IT may set up the network environment and infrastructure of the physical security system, facilities may manage and service the overall deployment, and security may have limited command and control of the solution. This fractured ownership and oversight can create system use challenges and may even create unintended consequences like security vulnerabilities.
Are the cardholders consistently being assigned appropriate access levels? Is the physical access control system being deployed utilizing AES (Advanced Encryption Standard) 256-bit encryption over TLS (Transport Layer Security) 1.2 or higher? Is the encrypted credential information from access control badges or mobile card readers communication via OSDP™ (Open Supervised Device Protocol)? Is multi-factor authentication being used to ensure the identity of those signing on to administer these systems? These types of questions are better answered as one collective team. Bringing these teams and the overall system together can significantly increase the resiliency, identification and response to attacks or threats which leads to an increase in overall security and building health for the entire facility or enterprise.
This collective group can use the strengths and expertise each team has to offer to construct a comprehensive and well-planned deployment, a critical step in fortifying both physical and cyber security to ensure a holistic security outcome.
If your organization is not able to converge both the physical and cybersecurity teams right away, now would be an ideal time to complete a security assessment. This can be done internally or by working with local security assessment contractors. The assessment can assist in identifying potential threats and in the creation of strategies to mitigate these vulnerabilities. Cyberthreats will only continue to increase in intensity and frequency with potentially devasting impacts, so organizations must confront these threats with a unified team and solution. An integrated approach will maximize the safety, security and health of building occupants and provide them with the confidence that they, as well as their data, are protected.
Doug Coppola is LenelS2’s Director, Healthcare Solutions, North America.