Bryan Warren, Director of Corporate Security, Carolinas HealthCare System
While hospitals do not typically present a primary target for terrorism or criminal action (although in certain specific circumstances they do have that distinction) all healthcare facilities, regardless of their size and scope, have several areas that can be considered “security sensitive”. In this context, such Security Sensitive Areas (SSAs) refer to certain departments or areas of the facility that are more likely to suffer from security related problems than others. These “hot spots” are especially vulnerable for numerous reasons including exposure to potentially malicious actions, patient populations, presence of valuables or materials of interest, etc. These areas can include, but are not limited to emergency departments, labor and delivery/pediatric units, behavioral health units, pharmacies, business offices / cash handling areas, nuclear source material storage areas and any other areas within the facility that may have specific issues due to critical facility infrastructures and/or confidential information, such as IT / IS departments.
Emergency departments (ED) require constant surveillance by security and law enforcement personnel during a disaster or public health emergency, as this is the primary “hot spot” for most hospitals. Security assets are typically concentrated in these units, including personnel, access controls and CCTV and alarm systems. Long term presence of behavioral health patients, forensic prisoner patients being treated 24 hours a day, gang activity, acts of violence and potential response to public healthcare issues such as contamination events and patient surges keep the ED a very busy and strategically important asset. Labor and Delivery/Maternity areas present special concerns from a healthcare security perspective. Aside from the possibility of infant abductions, these units are prime areas for domestic disturbances and family quarrels, especially during increased times of anxiety and stress. Add to this the fact that an injured child often results in many more overnight visitors than adult patients and these areas can present a real security challenge when a community wide disaster occurs. Likewise, due to a specialized patient population, Behavioral Health units also have unique security concerns. Many patients in these areas have conditions that can cause them to be irrational or have violent reactions to others with little or no warning as well as constant concern over elopement attempts or patients attempting to harm themselves should an opportunity become available (such as a distraction of staff or an increase in patent to caregiver ratio that can occur during a public health emergency). Due to the presence of narcotics and other controlled substances, pharmacies have always been a security sensitive area of any healthcare facility, as are any business offices or areas that receive payments. Such areas are primary targets of criminal activity. Other areas of a hospital that may not appear as critical to the public but can have a negative impact upon the operation of the facility should illegal activity occur are IT data centers, hazardous materials storage areas and infrastructure control centers.
"One way in which IT and operational security programs can better work together is to formalize routine meetings"
Confidentiality is a huge concern in any healthcare facility. To ensure consistency and to meet the many requirements of the the Health Insurance Portability and Accountability Act (HIPAA in the US, similar laws exist in other countries), healthcare providers must closely guard the security of certain records. Confidential information whether patient-related, staff-related, or financial in nature can include hard copy or electronic files and the potential misuse of such data could be related to a variety of criminal and other malicious acts, which is why extraordinary precautions must be taken to protect such data. Medical records for example have a long shelf life as far as ongoing criminal activity is concerned (you can’t just cancel a medical record like you can steal a credit card number). The medical records provide long term gains with very little risk and significant anonymity to the one illicitly using the information and offer a far better financial yield than other types of stolen information (you can sell the contents of the medical record and keep a copy to obtain fraudulent prescriptions, which you can then resell for even more profit).
Similarly, with the increased threat of terrorism present, many areas that previously were not considered security sensitive are now being reexamined, such as mechanical rooms, communications centers and other critical infrastructure departments of the hospital. Any issues, which affect systems such as telecommunications, utilities, or IS /IT equipment can have a disastrous effect upon patient care and the ability to treat those in the community. This includes sources of potentially dangerous raw materials for the creation of a radiation dispersal device (RDD), or “dirty bomb” due to the presence of sometimes significant amounts of certain isotopes of interest. Special programs, such as the National Nuclear Security Administration’s Office of Radiological Security (ORS) are being used to limit such threats by “hardening” of certain key areas inside of hospitals and other potential sources of such material throughout the world. The US Department of Homeland Security has created several best practices and guidelines for securing and reporting suspicious activity in and around such areas. During a dynamic event, such as a public health emergency, many first responders and local law enforcement (as well as your own security forces) may be otherwise engaged and the opportunity to exploit such security sensitive areas, (for either profit or sabotage) increases exponentially without a dedicated guardian or physical security countermeasure to protect such assets.
Having described many of the “security sensitive areas” in the healthcare environment, the opportunity for collaboration between operational and IT security professionals is not just in the creation of policies and procedures, but more so in understanding the many ways in which each of their respective functions impact one other and how together IT and operational security are at the forefront of enabling business continuity even during an adverse event. An attempted hack of a healthcare organizations critical systems or electronic medical records database can be incredibly damaging from a financial and branding perspective, but no less so than an active violence event or sabotage/vandalism that impacts the ability of the organization to provide patient care. Both types of incidents are equally important from a risk mitigation perspective, but each of these events requires a different skill set to adequately prepare for and mitigate should they occur. One way in which IT and operational security programs can better work together is to formalize routine meetings while the “weather is good” and not in response to an event that has just occurred and many may be seeking someone to blame rather than identifying what factors may have led to the incident. Just as CCTV and access control systems rely upon the “backbone” of the IT infrastructure to communicate and function properly in an organization, so should operational and physical security leaders rely upon the “backbone” of our IT security partners to ensure the smooth flow of information and to work together to prepare for any adverse events, be they cyber related or more physical in nature. Public sector and private sector partnership is a hot topic right now in the security and law enforcement communities. However, we should first have solid relationships internally between the IT and physical and operational security divisions before attempting to negotiate outreach efforts to the public sector, and that starts with an understanding and mutual appreciation of the importance of each of these responsibilities.