Workplace violence — once the cornerstone of healthcare security — may not be the first thing a hospital security director is worried about in today’s climate.
It appears, in fact, that physical security measures deployed by integrators in hospitals and other facilities has contributed to a marked downturn in violent crime. The 2016 Healthcare Crime Survey, conducted by the International Association for Healthcare Security and Safety (IAHSS) Foundation, analyzed 263 U.S. hospitals and found that violent crime — which includes murder, rape, robbery and aggravated assault — declined by more than 67 percent between 2014 and 2015.
“Hospitals, in general, for the past five years at least, have spent an extraordinary amount of time, energy and resources on working towards reducing workplace violence,” says Karim Vellani, CPP, CSC, the study’s lead author and President of Threat Analysis Group, LLC. “Those efforts could very well being paying off.”
Today, perhaps the most feared threat confronting the healthcare landscape is data protection. “It doesn’t have as direct an impact — it isn’t an active shooter after all — but the long-term damage that can result from a data breach in healthcare can be just as debilitating financially as an active shooter can be to a facility,” says Bryan Warren, Director of Corporate Security for Carolinas Healthcare System — the second-largest public not-for-profit healthcare provider in the U.S., with 43 hospitals, more than 900 locations in the Carolinas and 70,000 employees.
Of all the customers that security integrators serve, healthcare clients are the ones protecting perhaps the most valuable of data — Protected Health Information (PHI), which can include anything from basic identifying information like Social Security numbers to detailed Electronic Medical Records (EMR). “In healthcare, the value of the information is just so high; in fact, EMR are worth 8 to 10 times the value of credit card information,” Warren explains.
“Your Electronic Medical Record never expires and can’t be canceled,” Warren adds. “If you steal my credit card number, you’re only going to use it until I find out about it; Electronic Medical Records are used over the course of an entire lifetime.”
Thieves can use PHI in so many different ways. According to Warren, they can use them to get drugs under a person’s name and diagnosis, and then resell those drugs. They can use it to buy medical equipment that is then resold. They can use it to get free healthcare — if someone might need surgery and doesn’t have insurance, the criminal can sell the EMR to that person, who then uses it to get the procedure on someone else’s insurance. “The theft of laptops containing unencrypted medical records is an ongoing problem and one of the top categories of HIPAA disclosures to DHHS,” says Tim McElwee, President of Proficio, a managed IT security services provider.
While the traditional security integrator may not be the initial go-to source for data breach prevention, if they are not considering data protection when they are working with a healthcare customer, they will be doing them a disservice.
“With so many regulatory considerations and huge consequences if there’s a data breach, we’re seeing a lot more focus on data management — not only on the cyber side, which is really its own science, but on the physical security side as well,” Warren says. “Anyplace that deals with where medical records are stored is right up there with the emergency department, behavioral health, and labor and delivery as far as security-sensitive areas in a healthcare setting.”
The Role of the Integrator
In attempting to answer the question, what is the role of the security integrator in healthcare data protection, you can find a lot of different responses depending on the source — end-user, traditional physical security integrator, IT security specialist or healthcare end-user.
For Bill Bozeman, President and CEO of the PSA Security Network of integrators, the role involves acceptance, adaptation, education and communication. “Step one for the physical security integrator is accept the fact that cybersecurity is an important issue that must be dealt with — the integrator needs to build cybersecurity education, processes and services into their business plan,” Bozeman explains.
“Step two is getting the integration company employees educated on the potential risk and possible solutions available to the integrator community for cybersecurity as it is related to the healthcare community,” he adds. “Step three is communication to the healthcare organization of the cybersecurity policies and procedures both the integrator and the chosen manufacturer of the security products have taken to protect the facility as best as possible from a potential cybersecurity breach.”
“Health data networks must upgrade their security — this includes building a skilled and trained team of information data security professionals who can monitor for attacks and maintain a current, protective firewall,” says Dr. Kirsten Hoyt, Academic Dean with University of Phoenix College of Information Systems and Technology and co-director of the University of Phoenix Cybersecurity and Security Operations Institute.
Obviously, the security integrator’s responsibilities have evolved nearly as quickly as the threats have. That said, according to Warren — who is on the front lines of the problem — physical security remains a cornerstone of an effective IT security posture. “The IT security folks need to understand that the virtual security that they provide is incredibly important, but at the same time, the physical and operational solutions that security integrators can provide are just as important,” Warren says. “You can have all the best VPNs and firewalls and malware protection in the world, but that’s not going to stop a person from walking in the back door with a thumb drive. A lot of times the IT guys forget about the old-school security measures.”
Data Security Meets Physical Security
“Integrators can start by focusing on reducing the attack surface to make it more difficult for attackers, while reducing reliance on detection software,” says James Maude, Senior Security Engineer at Avecto, a provider of cybersecurity software solutions.
“If a data center calls an integrator and asks for help with security, they probably aren’t asking for pure software to protect virtual networks against malware and antivirus and firewalls — they are asking for physical security,” Warren says. “The integrator’s challenge at that point is to not only look at the building, but to also look at the threats that the customer perceives need to be mitigated by working with the integrator.”
Thus, while recommending cybersecurity software or a managed service provider is a major aspect of data protection — and a key one as the security integrator endeavors to be a trusted security resource for the customer (be sure to direct them to the American Hospital Association’s cybersecurity resource area at www.aha.org/advocacy-issues/cybersecurity.shtml) — a major part of protecting against a data breach is protecting the areas that house the data from a physical standpoint.
Warren says it is incumbent on the integrator to educate the end-user about the potential risks — from either hanging a new camera on a network, or a physical threat. “What I found personally is if they can take real-world examples it is very effective,” he says, “like recommending restricted access in a particular area because three years ago in a similar facility, an employee used a particular type of entryway door to gain access and it caused a major security breach. The customer sees you as someone who knows what they are talking about, and it gives the integrator credibility that they understand what the end-user is trying to protect.”
To take that a step further, Warren warns that integrators themselves must stay vigilant when inside the healthcare facility doing the actual work, as that is among a facility’s most vulnerable moments. “Not only do the integrators need to have the endgame in mind, but when they are actually on site doing the work they need to educate themselves and their subcontractors that some basic security will have to be taken down in order to install the new technologies — and that’s an opportunity for the bad guys. A lot of subcontractors may not realize that.”
Finally, the security of the devices that integrators hang on the network themselves is paramount. “Physical security devices can be used by attackers to pivot into a network, so it is important that security integrators have a good grasp on their own security — as they are potential targets for attackers trying to gain access to their larger clients,” Maude says. “Alternatively, they could be integrating systems into networks that are already infected with malware, so it is crucial that they are confident in their own security to avoid being held to ransom themselves for a client’s mistake.”
The Ransomware Threat
While malware and related cyber attacks have not traditionally been the purview of physical security integrators, the convergence of physical and IT security means the lines are being blurred. Thus, to gain a complete perspective on the security posture and problems of healthcare facilities — and to be their trusted security advisor — security integrators must be aware of the ransomware threat.
“One of the most devastating trends is ransomware — hackers infiltrate systems, often via phishing attacks, and use malware to appropriate credentials that allow them to go wherever they need to find unprotected sensitive and PHI data, which they hold hostage using encryption before demanding money in exchange for restoration of access,” explains Suni Munshani, CEO of Protegrity, an enterprise data security provider.
The FBI says ransomware attacks have increased so much that companies have already paid more than eight times the ransom payments so far in 2016 than they did in all of 2015. Ransom demands vary, but an example is Hollywood Presbyterian Medical Center, which was attacked this Februrary and was reported to have paid $17,000 in Bitcoin after negotiations during which nearly 1,000 patients had to be relocated to other hospitals.
“These new threats especially leave those in the healthcare industry perched between a rock and a hard place as they struggle to balance limited IT resources and teams relatively new to the sophisticated skills required to securely democratize data, with the need to keep data accessible to the users who require it,” Munshani explains. “Organizations are seeking an approach flexible enough to enable critical access without making themselves an easy target for bad actors — but this requires a culture change and an adherence to best practices from those working in the industry.”
So where do security integrators fall into the ransomware prevention equation? There are three ways to take an active role for your healthcare client:
1. Be a resource: According to a recent survey of 1,138 companies across a variety of industries conducted by KnowBe4, 90 percent said security awareness training is the most effective way to mitigate the ransomware threat. As your healthcare provider’s trusted security resource, integrators should encourage their healthcare clients to maintain a strong culture of prevention when it comes to opening email attachments and other potentially malicious files. Additionally, regular patching and other IT security methods should be top-of-mind, including software solutions that integrators can offer to help mitigate the risk.
“If we examine the research around cyber threats, it is clear that removal of admin privileges, application white-listing and regular patching can defend against the majority of attacks, yet many organizations fail to implement these measures,” Maude says. “Endpoint sandboxing technologies proactively resolve this issue by isolating dangerous websites and email attachments away from the corporate data in order to prevent the attack in the first place.”
2. Take a role in backup systems: Integrators should also encourage and take an active role in preparing their healthcare clients for these types of tasks with proper backup systems. “Backup systems are an essential part of any disaster recovery plan, but can’t simply be installed and forgotten — they must be tested and secured,” Maude says. “Imagine if backups are encrypted, or a crisis situation where it might take weeks to recover corrupted data. Security integrators must be aware of how important robust backups are, but also need to make clients aware that they should not be used as a defense strategy — only as a measure of last resort.”
3. Secure the solutions: Third, and perhaps most important to the security integrators themselves, IP-based physical security solutions must be secured. That means changing default passwords and controlling how the devices interact with the healthcare provider’s network resources. “The most common ransomware attacks occur through email attachments and malicious websites targeting desktop machines, but there is a growing concern that ransomware could begin targeting CCTV and physical security platforms,” Maude says. “In the past, attackers have exploited known weaknesses in DVRs to install Bitcoin mining malware with increased connectivity — and it could only be a matter of time before ransomware appears on these platforms.”
Paul Rothman is Editor in Chief of Security Dealer & Integrator (SD&I) magazine. To access the current issue and digital archives, visit www.secdealer.com.
