Physical security and the healthcare sector
Healthcare data is extremely valuable, so it comes as no surprise that recent security and data breaches at healthcare facilities have been making headlines. Just how valuable is it? Personal health records routinely fetch more than credit card data on the black market. This is why your physical IT infrastructure needs to be monitored, managed and protected, just like your virtual data and network.
Physical security is often overlooked
Many organisations have robust information security – ensuring their internal networks, devices and data are secure – but overlook physical security. This can easily result in breakage, theft and loss of sensitive data and equipment, which can undermine all the other security controls you have in place. This can leave your organisation exposed to financial extortion, damage your reputation and infringe your statutory obligations to secure patient privacy.
With this in mind, let’s look at best practice for securing your organisation's physical IT assets and infrastructure.
Protect your physical IT infrastructure
Some basic elements of building security include 24/7 monitoring of physical access to your data centre, perimeter security with dedicated staff, CCTV surveillance, secure perimeter fencing, as well as two-factor authentication card access and/or biometric systems. And if you are planning the location of a data centre, look to place it in a building or room with no external walls. The building or room should also be further secured to minimise the risk of fire and flooding. Also maintain a record of all your IT equipment, including all serial numbers, and make it compulsory for staff to log off-site use. Having adequate insurance is also essential.
People are often the weakest link
Organisations may overlook their employees as the potential source of a data breach. Consider running background checks when hiring. Following up on references is also a good idea with new recruits. And when they sign their contract, be sure to include a confidentiality agreement. When it comes time to granting access to your IT infrastructure or data centre, this should only be for accredited employees. You should also look to implement restrictions on removable media, and what is allowed in and out of your data centre. Visitors and vendors should be scrutinised and accompanied by staff at all times. Staff should also be educated to secure their devices – laptops, tablets and smartphones – when they are off-site. And if a device is stolen, ensure you have security capabilities such as remote data wiping.
Physical penetration testing
If you are unsure of the integrity of your physical security, you can engage a security consultant to undertake a physical penetration test and/or a physical site security audit. These are real-world assessments of the existing physical security controls in place. They will identify exactly what vulnerabilities exist, so you can remedy the situation and ensure your data and equipment are adequately secured. Implement these measures and you will limit the likelihood of any physical threats to sensitive patient data and your IT infrastructure.