Myth busted: Physical security is not separate from cybersecurity
Physical security, which includes safeguarding medical devices, machines and paper documents, is often discussed as an element separate from cybersecurity. But while it would be nice for these functions to be separate, at the end of the day, it's not.
There’s a long list of physical items containing patient data that must be protected -- even if the data is offline. Mobile devices, paper documents and thumb drives can hold patient data and often these are potentially exposed.
[See them all: 10 stubborn cybersecurity myths, busted]
In just the last few years, the U.S. Department of Health and Human Services’ Office for Civil Rights has settled with a number of organizations that failed to secure or protect physical devices.
CardioNet was fined $2.5 million by OCR, after a company laptop was stolen from an employee’s car. OCR found CardioNet failed to produce any final policies regarding the safeguard of patient information -- including that for mobile devices.
While the massive $3.2 million OCR handed to Children’s Medical Center of Dallas stemmed from a lack of timely reporting, the breach was merely caused by an employee losing an unencrypted, non-password protected Blackberry device at a nearby airport. And a second breach four years later, after the loss of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013.
These cases highlight the need for not only better encryption policies but stronger physical security mechanisms.
Other industries have already figured out that not only are physical and information security not two separate functions -- physical security and cybersecurity can and should support each other, said CynergisTek CEO Mac McMillan.
McMillan recommended combining the two through the use of physical security information management, which provides a platform to integrate multiple unconnected security applications, controlled by one user interface.
“The tool collects information in respect to that network system and can be used to give a better understanding of what’s going on in the network,” McMillan said. It provides a clearer, more complete picture of the security needs within an organization.
“The mission of healthcare delivery organization is to both improve and ensure the health and wellbeing of patients,” said Dale Nordenberg, CEO of Safety and Security Consortium for Novasano. “Security risks should be assessed holistically to optimize the safety and security of the people that come to their healthcare system.”
All cyber risks can rapidly compromise the provider’s environment and control, said Nordenberg. When necessary technology is shut down by a cyberattack, it jeopardizes the provider’s ability to safely care for patients.
A long list of systems running in the background of a hospital could hinder the ability to perform surgeries or serious care, if they suddenly stopped working. It’s not just IT, either. Nordenberg referenced water purity systems, fire controls, temperature maintenance -- including those required to keep medications and biologics protected.
Interruption to power supplies can devastate the doctor’s ability to perform necessary surgeries in the intensive care unit, Nordenberg added.
“Cyber quickly becomes physical in these circumstances,” Nordenberg said.