Addressing The Physical Security Flaws In Hospitals
How secure are healthcare facilities against physical threats? While most conversations around healthcare security focus on cyber threats, the importance of physical security often gets sidelined. Yet, in an environment where patient data, medical equipment, and operational integrity are paramount, neglecting physical security could be a critical oversight. A recent advisory from the U.S. Department of Health and Human Services (HHS) has brought this issue into focus, urging healthcare providers to step up their physical security measures to prevent breaches that could compromise patient safety and privacy.
The Persistent Threat of Physical Breaches in Healthcare
The healthcare sector faces unique challenges when it comes to security. Facilities like hospitals and clinics are not just places where sensitive data is stored; they are also environments where access is critical, and operations must run smoothly 24/7. This dual need for openness and security creates vulnerabilities that can be exploited if not properly managed.
From 2020 to 2023, over 50 significant breaches were reported involving the theft of computing devices within healthcare settings, affecting more than a million individuals. These incidents underscore the reality that physical security is not just about protecting premises but also about safeguarding devices that store unencrypted patient data. Stolen laptops, tablets, or even paper records can lead to severe data breaches, just as damaging as any cyberattack.
Despite these risks, only about 7% of security decision-makers in the healthcare sector consider physical threats as a top priority. This gap in prioritization leaves facilities vulnerable to various physical security threats, including unauthorized access, theft, vandalism, and even environmental threats like fires or natural disasters that can disrupt operations.
I would like to emphasize that lack of security in hospitals goes far beyond cyber security and data theft / compromise. Attackers or bad actors with physical access within hospital restricted areas can and have done everything from compromised patient records, stolen or damaged equipment, even stolen children and much more.
Unique Physical Security Challenges in Hospitals
Hospitals face unique challenges when it comes to physical security, largely due to their nature as dynamic, open environments that must balance accessibility with protection. I have worked with many hospitals all over the world, and these are some of the most difficult buildings / complexes to secure because of how they operate and who needs access.
Here are some key reasons why securing these facilities is particularly complex:
Busy and Chaotic Environments: Hospitals are often bustling with activity, making it difficult for security personnel to monitor everyone effectively. The high volume of foot traffic, combined with the urgency of medical situations, creates a chaotic atmosphere where unauthorized individuals can more easily blend in.
High Number of Personnel and Third-Party Staff: Hospitals employ a vast array of staff, including doctors, nurses, administrative workers, and various third-party contractors such as cleaning crews, maintenance workers, and IT personnel. This mix of permanent and temporary staff complicates the task of tracking who is authorized to access specific areas, increasing the risk of breaches.
Open Access for Visitors and Civilians: Unlike other secure environments, hospitals routinely allow civilians, such as patients’ family members and friends, unrestricted access to many areas of the facility. This open-door policy makes it challenging to differentiate between authorized and unauthorized individuals, posing a significant security risk.
Patient Access to Workstations: Patients often have access to rooms equipped with computer workstations that may contain sensitive information. These workstations are often left unlocked or unattended for extended periods, providing opportunities for unauthorized access to electronic protected health information (ePHI).
Sensitive Areas with Multiple Entry Points: Hospitals contain numerous sensitive areas such as pharmacies, labs, and data centers, each with multiple entry points that need to be secured. The necessity for quick and easy access in emergencies can sometimes lead to lapses in securing these points effectively.
Equipment and Data Theft: The high value of medical equipment and the presence of sensitive data on portable devices, such as tablets and laptops, make hospitals attractive targets for theft. The frequent movement of devices within the facility exacerbates this risk, as a nurse who notices a missing device will likely not immediately assume theft.
Visitor and Patient Mobility: Patients and visitors move freely throughout the facility, often crossing into areas that should be restricted. This movement complicates the enforcement of access controls and requires a more nuanced approach to monitoring.
Hospitals are Complexes: Modern hospitals often are not a single building, but a sprawling complex of hallways, buildings and locations. This means that a weakness anywhere within the complex, can be extremely difficult to pinpoint. For example, I have used a wifi extender on top of a parking garage to get onto a hospital network which would be extremely difficult to catch and pinpoint.
These challenges underscore the need for comprehensive physical security measures tailored specifically to the unique operational realities of healthcare environments. But I will admit that hospitals, because of all the reasons above, create some of the most complex and difficult facilities to secure in the world.
From a physical security perspective, put yourself in the mind of an attacker and ask how you could abuse such an environment, what could you actually accomplish and how would you go about it. This “Attacker Mindset” is important for every offensive security professional to develop because it is the first step to discovering actual vulnerabilities and them finding methods to resolve them.
That said, I imagine people can come up with some pretty sinister attack vectors and goals of what an attacker could potentially do here, which underscores why it is so important to help hospitals recognize these vulnerabilities and fix them.
Lessons from Enforcement Actions: The Cost of Non-Compliance
Failure to implement robust physical security measures can lead to substantial penalties. For example, a prominent healthcare provider faced a $3.5 million settlement with the HHS Office for Civil Rights after an unencrypted laptop containing patient information was stolen from an employee’s vehicle. This incident highlights the need for stringent physical security measures to prevent unauthorized access to sensitive data.
The penalties for non-compliance with HIPAA's physical security requirements are not just financial. They also include damage to reputation, loss of patient trust, and the potential for long-term operational disruptions. As healthcare providers increasingly adopt digital solutions and interconnected devices, the physical security of these assets must keep pace.
Conclusion: A Holistic Approach to Healthcare Security
The push by the HHS for improved physical security in healthcare serves as a reminder that protecting patient data and even their lives goes beyond firewalls and encryption.
The various risks involved with having bad actors or attackers in certain areas of a hospitals creates the potential for everything from patient data theft to actual lives lost. It is very important that these facilities get the assistance needed to increase their security.
Unfortunately, as with all crime these days, attacks and criminality on hospitals is also on the rise and therefore needs to be continuously addressed.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Physical Audit Training - 2 day course on how to setup and run a physical security audit
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private Instruction - Focused learning & training based on your needs .