Why and How to Incorporate Physical Security Risk into Your Enterprise Risk Management

In today’s heightened threat environment, driven by domestic and geopolitical issues, it is more critical than ever for hospitals to prepare for and mitigate all forms of risk, including both cyberthreats and physical threats to the hospital environment. Both pose a risk to your entire enterprise, so to better manage these intertwined challenges you must make cybersecurity and physical security part of your governance, risk management and clinical continuity framework.

The Physical Security Impacts of a Cyber Event — and Considerations for Response

While the expanded use of networked technology and the electronic exchange of health information offer significant benefits for care delivery and organizational efficiency, this greater connectivity also increases exposure to cybersecurity and physical security threats.

Just as cyberattacks interrupt clinical continuity by disrupting network-enabled medical devices, they also interrupt physical security and business operations. Virtually everything that provides physical security in a hospital is tied to a network, making it vulnerable to an outage caused by a cyberattack (or by other incidents like natural disasters or human error).

How will you maintain continuity of your physical security and business operations if core systems are down for 30 days or more? You need a plan. Essentially, you will need to implement physical measures to stand in for your networked technologies — measures mostly carried out by people. Lots of people.

Here is what you need to consider when the following lose their network connection: 

• Access control. What do the badge readers on your doors do if they lose their network connection? Do they default locked or unlocked? If doors default to unlocked, anyone who walks in will have free access to your facility. You’ll need a plan to post door monitors, and for sensitive areas, potentially law enforcement officers. If the doors default to locked, you may need people to facilitate access for authorized personnel.
• Pediatric monitoring system. You’ll need people to replace technology at the physical access points to the newborn ICU and maternity ward.
• Drug cabinets. How will your pharmacy team gain access to medications so they can deliver them to patients?
• Fire alarms. The alarm will sound within the building, but it won’t reach fire or police dispatch. Think about how staff can contact your security team or outside emergency services. They won’t be able to use Voice over Internet Protocol phones.
• Security cameras. Will your cameras continue to record? Will you be able to monitor them remotely? You’ll need more security officers on patrol.
• Dispatch. Is your security or law enforcement dispatch system on the network? Is the radio system dependent on the network? What is the plan to provide police and security services in the event of a network outage? 

Secure Network Equipment

Don’t forget the importance of maintaining robust physical security to prevent unauthorized access to infrastructure equipment. For instance, criminals can:

• Access your network through an exposed USB port or introduce malware through a simple USB drive.
• Find written passwords that your employees have taped under a keyboard or placed in a desk drawer.
• Enter an unlocked data center. Remember, if the adversary has physical access to your network, it’s not your network anymore. 

I conducted a security assessment for one organization where not only was the door to the server room wedged open, right behind the front desk — but there, taped to the wall in plain sight, was a piece of paper displaying the newly changed password in large type.

Other attacks on physical infrastructure include the targeting of medical devices such as IV pumps. In fact, the Food and Drug Administration and the Cybersecurity and Infrastructure Security Agency both warned recently about a “‘backdoor’ in the [Chinese-made Contec CMS8000 medical monitor], an ‘easy-to-exploit vulnerability that could allow a bad actor to alter its configuration.’”^* Those devices were also sending information back to a university in China, without the knowledge of the hospitals using the device. A device’s altered configuration could threaten patient safety or allow entry into the hospital’s network to collect data and put the hospital at risk.

While we advise regularly monitoring devices for cyber risks, that’s difficult when the devices themselves are insecure. Read this CNBC article to learn more about the Contec equipment cyber risk and what hospitals should do until a software patch is available.

Support for Your Security Efforts from the AHA’s Cybersecurity and Risk Experts

AHA Clinical Continuity Assessment Program

How prepared is your organization to provide safe and quality care and maintain business resiliency for at least 30 days without critical technology? Led by the AHA’s team of nationally recognized health care cybersecurity experts, this comprehensive assessment delivers recommendations across all functions to ensure you can maintain clinical and operational continuity during prolonged outages. Learn more.

Cybersecurity and Risk Advisory Services

Our team offers a variety of strategic cybersecurity and risk advisory services to assist AHA members, many of which are included with your AHA membership.

We are also available anytime, including after hours, at no cost should your AHA member organization need urgent assistance, guidance or introduction to trusted government contacts as the result of a cyber or risk incident.

• John Riggi, National Advisor for Cybersecurity and Risk: jriggi@aha.org
• Scott Gee, Deputy National Advisor for Cybersecurity and Risk: sgee@aha.org