Designing a (Cyber) Secure Healthcare Environment

Most everyone would agree that the biggest cybersecurity risk for healthcare is within the digital world of information security, with the storage of patient information and the transmission of patient records. These networks must have security measures in place to detect anomalies and malicious users, and to control the flow of data to keep it safe.

Yet given that the healthcare industry is trusting in nature due to the fact they are comprised of treatment centers – with humans present for surgeries, death, injuries and illness, all of which requires a lot of foot traffic within this trusting environment – the need for physical security is on the rise to not only keep patients physically safe, but also to protect their digital identities that are in the hands of the facilities. Social engineering – or the training of healthcare workers to accurately recognize potential threats and effectively protect against these threats – is an effort that has been neglected but may be more important than ever.

There’s so much of a focus on protecting the technology through technological means, there has been a shift away from physical security and little focus on social engineering as means to keep hospitals safe from hackers. As healthcare facilities build new space or renovate existing space, the safeguarding of medical technology, as well as the importance of physical security and social engineering, can be enhanced through foresight within the design.

Healthcare organizations, from top leadership down, need to take the security of its information technology seriously, and healthcare designers need to be aware of this and can even help to emphasize this as they create medical spaces.

When considering new spaces or renovating existing spaces, executives must think at both the macro- and micro-levels of the organization. Hospitals must create their facilities with both the physical and virtual realities in question. The need for having information security at the top of this development is mandatory. For instance, the more data you bring to the internet, such as digitized patient records, robotic surgeries and medical devices, just to name a few, the more need exists to secure this information. Designers need to be thinking of these issues – in addition to more “traditional” cybersecurity requirements – when creating healthcare spaces.

With patients and their families potentially wandering the halls, the opportunity exists for a potential hacker to blend into the foot traffic. Healthcare organizations can combat this by installing proactive cameras, securing door-locking mechanisms, hiring 24/7 security guards and installing alarm systems that limit entrance to the facility at off-peak hours. Designers that understand these risks ahead of time can incorporate these physical features into the planned space, as well as create areas that are less prone to nefarious activity, by offering long and wide sight lines and limited access to areas that might host technological equipment.

In fact, designers should ask questions up front about any needs the IT department of the organization might have to better handle both the technological threats and the physical threats to cybersecurity. Here are some questions to consider as healthcare organizations embark on a new design or a redesign of part of their facilities:

• How do patients, employees and visitors utilize the physical infrastructure?
• What kind of access do patients, employees and visitors have to the available technology resources?
• Are there redundant and secure methods of communication and data transfer?
• Does the hospital receive a lot of VIPs, which might require adding an extra layer of security on both the physical and digital assets?
• How much patient and sensitive data is flowing within the digital infrastructure?
• In a natural disaster, what is the maximum capacity the hospital can hold?
• Does the hospital have a secondary disaster recovery site for the technology side of the business?

Finally, and perhaps most importantly, IT departments within healthcare organizations should do their part to bring information security awareness to the board of directors and the executive branch within their facilities to enforce change throughout the organization around IT and information security. They should create a realistic budget to keep technology up to date and secure from threats, and point out that skimping on this budget in the present could potentially lead to exponential costs in the future as the result of a data breach. Cyber liability insurance is only as good as the level of security within the organization.

We are constantly advancing within an interconnected world with artificial intelligence, augmented/virtual reality and quantum computing possibilities presenting themselves as new progress in the realm of healthcare. Who really knows how the medical industry is going to evolve or what new technologies an individual healthcare organization might need? The best decision for an organization within healthcare is to create high-tech, robust facilities at the foundational level so they can be ready and adapt to the ever-changing industry. Designers can incorporate these philosophies to ensure that the medical facilities they are creating can handle the organization’s current cybersecurity challenges – and be ready to tackle the future ones too.

Photo courtesy of Vulsec.