When Physical Intrusions Lead to Digital Breaches
Workers in industries like the healthcare sector might picture cybercrime as something that happens from afar – breaches due to hackers from across town, or around the world. But enterprise security leaders know otherwise: would-be hackers also break into facilities and steal a laptop or other equipment that holds sensitive company information, or plug into a network on an Internet-enabled phone or other port.
For that reason, healthcare institutions are pairing increased cybersecurity with tightened physical access through proper identification solutions, other equipment like cameras, and training to prevent social engineering techniques like “tailgating,” where an unauthorized person slips in behind someone who presents a proper ID.
The healthcare sector performs better in this regard than some, such as education, but not as well as others, like financial services; and larger hospital systems generally tend to be more advanced than smaller clinics, says Tom August, chief information security officer at John Muir Health, based in Walnut Creek, Calif. “One of the most important things a CISO can do is to understand that identity management is a big deal,” he says. “If they don’t have identity as part of their program, they’re really missing something.”
A recent joint report from Michigan State University and Johns Hopkins University researchers illustrates the scope of the issue. Their review of 1,150 electronic medical record cases between October 2009 and December 2017 that impacted more than 164 million patients found that more than half (53 percent) of data breach issues were internal to medical providers, such as unauthorized access or improper disposal, not due to hackers or other external actors.
“You’ve got high-tech, low-tech and no-tech,” says Bryan Warren, director of corporate security for a major healthcare institution and former president of the International Association of Healthcare Security and Safety (IAHSS). “No tech is, once I’m in the building, people aren’t as security-minded about leaving out certain documents that they shouldn’t. At the nurses’ station, there might be something up on a cork board, a medical record, or a DEA provider number of a physician. I don’t have to steal that – I just have to take a picture. All the way up to a data breach, which requires skill and equipment.”
Alan Butler, senior vice president at HSS Inc. and current president of IAHSS, says that a physical breach that leads to a data intrusion would require a combination of circumstances. “The perfect storm would be that you could get into a secured area, get onto someone’s computer because they didn’t log out, or their computer hasn’t timed out, and all of the sudden, you’re into a secured database with access to confidential information,” he says.
With regard to entity and physical security, August is most concerned about physical breaches leading to theft – of a laptop, or drugs, or supplies. “It’s crimes of convenience,” he says. “It’s anything they can flip and make a dollar on.” To guard against resulting data breaches, he suggests “you can encrypt the heck out of everything to make sure we don’t run that risk.” And it’s possible that if a bad actor found an open, unlocked computer terminal, “Susie the nurse might have access to our EHR or other ancillary systems, in which case whoever clicked on it might be able to gain access.”
To prevent quick grabs of information in cases like that, August suggests techniques like preventing the saving of files to USB drives, or blocking sending of attachments to external e-mails. “Worst case, someone could access records, but they can’t take them,” he notes.
Proper ID Management
Warren sees three primary aspects to access control: something you know, like a pin code; something you are, which can mean a palm scan; and something you have, such as an ID badge. “You look at what type of identification [should be required] based upon the overall risk of the area you’re trying to secure,” he says. “You can combine those to create a higher level of security. Going into the staff entrance just requires a valid ID swipe – it doesn’t require anything higher than that,” while more sensitive areas require other forms of ID.
But that means you need to educate staff about the importance of their ID cards, Warren says. “You need to know where the ID is at all times. Don’t leave it on your desk. Don’t leave it on the dashboard of your car,” he says. And the moment an employee notices their ID is gone, they need to file a report so it can be turned off. “When we investigate, we look at, who does it look like was going into those places?” he says. “Hopefully the camera coverage matches, and we can corroborate.” Otherwise, if your badge was used for an intrusion, “We’re going to bring you in and say, ‘Why did you go into this area at 3 in the morning?’ ”
Memorial Healthcare in Owosso, Mich., takes a similar tack to prevent the theft of information like patient health records, says Jeff Hauk, director, public safety and police authority services. “We try to manage that pretty consistently across the board and always are trying to educate staff in the importance of treating their ID badge just like they would the keys to their houses,” he says. “Lost badges are probably the biggest vulnerability, and then access to badges not secured properly by staff when they’re not at work, particularly those left out in cars overnight. We’ve done a pretty good job educating staff to where, if they’ve misplaced their badge, the automatically notify us, and we can shut it off.”
Memorial has been continuously adding to its camera surveillance footprint to help identify suspicious activity like someone who might be using a stolen or misplaced badge, Hauk says. “In the middle of the night, it would be pretty odd for someone to access the information services area, or the executive suite,” he says. “We do a lot of training on being proactive in our approach, on being observant of the environment and people, trying to present a visible deterrent whenever possible.”
The organization runs reports either daily, weekly or monthly depending on an area’s sensitivity and analyzes “who’s accessing the area and who’s tried to access but had denials, as well as the time of day that the area or location is being accessed. We look for patterns. We try to routinely analyze all that information. If we find something odd or suspicious, we investigate.”
To bring the issue alive for employees, Warren suggests using an example that might not be of greatest concern to security staff but will be easy to understand. “A lot of hospitals allow their ID to be used to charge things in the gift shop and cafeteria,” he says. “You wouldn’t leave your ATM card laying out. You wouldn’t lend it to someone and say, ‘Just give to back to me.’ We’re more concerned about other things than buying food, but it’s a good way to educate line staff.”
Butler says employees need to be aware of sensitive information lying around or on a computer screen that someone could simply take a picture of “in a heartbeat” because “that’s part of the time that we live in now.” While doing a risk assessment of a healthcare system recently, Butler entered a nurses’ station, where he was allowed but because the nurse did not know who he was, she immediately covered medical documentation sitting on her desk.
“That’s because she’d been taught and trained the value of that information,” he says. “I noticed it right away. She tried to be discreet about what she was doing. She made sure I could not see that information. I was a surveyor and someone who didn’t have the right to see that information. Quite honestly, there are members of the hospital staff who don’t have the right to see that information.”
Once someone gets inside, an area like medical records probably should require not only the ID but, for example, a pin code, Warren says. “If you stole my ID, or found it in the parking lot, having that ID, alone, isn’t going to do it for you,” he says, adding that pin codes should probably be changed every so often. “I’ve seen hospitals where it’s the same pin code for years and years. It’s a convenience thing.”
Sometimes, it’s necessary to go beyond pin codes, he says. “Something super top-level, like a server farm, you may even require a third level, some kind of biometric like a palm scan or iris scan.” A hospital might decide to turn off that feature unless there’s a credible threat, like someone losing their ID badge, or a report of a suspicious person, he adds. “It’s like having that deadbolt on your door that you don’t use all the time, but it’s nice to know it’s there.”
But the badge is probably the most important tool to prevent intrusions, including those that lead to cybercrime, Warren says. “Patient information is far more valuable than almost anything else we have, pound for pound,” he says. “The identification badge is literally a master key that you don’t want laying around.” And when someone leaves the organization, voluntarily or especially otherwise, “The very first step should be to take away the ID badge,” he says.
Butler believes that employee separations, whether under good or adverse conditions, pose the biggest opportunity for organizations when managing ID badges. “Make sure you have a very tight process as it relates to employee separations,” he says. “We’re in a dynamic work environment with lots of people coming and going. Organizations must have a structured separation process. … Healthcare organizations may be most susceptible to a data breach from an ex-employee, disgruntled or otherwise.”
Guarding Against ‘Tailgating’
There are also cases in which people lacking an ID badge find their way into facilities through stealth, or charm. Such social engineering attempts, known as “tailgating,” can be very challenging to deal with in the healthcare sector in particular, Warren says.
“You can’t spell ‘hospitality’ without hospital,” he says. “In the south, we hold doors for people. We’re taught: be nice. We have to make sure we empower our employees to understand that they’re not a bad person if they don’t hold the door for somebody they don’t recognize. … There’s nothing wrong with having a brief interaction. It can certainly be rolled into their customer service training. We don’t expect them to take immediate action. We don’t expect them to be adversarial. We expect them to ask, ‘Hi, can I help you?’ ”
If the person brushes past them and continues inside, anyway, an employee should call security and report them. “The person said they were heading to radiology, and this is what they were saying,” Warren says, adding that people in labor-and-delivery are especially sensitive given the vulnerability of their patient population. “If you are in the hallway and don’t have identification or a visitor’s badge, they will ask, ‘Hi, can I help you with something?’ If we can take that culture and expand it to other areas, we would be more secure.” Behavioral health is another area that tends to be on top of this, he adds.
Butler agrees that tailgating can be a problem because hospital employees would rather not confront someone, but that training them to politely deter potential bad actors is essential. “How may I help you? I’m sorry, this is not a door open to the public. You’ll have to use Door A to come this way,” he says. “That’s a training process, and it’s a cultural change inside the organization. It starts at new employee orientation. Organizations need to continually help staff understand that there is information that’s not available to the public, it’s protected, and it needs to remain that way.”
Guards need to be trained to recognize phony badges in systems where they’re visual only, August says. “You can make a badge on Photoshop in about five minutes,” he says. “You can do a close enough approximation and take it to Kinko’s and get it laminated, and you’re good to go.” But with electronic badge readers, “You can’t code that very easily,” he says. “You have to have stolen a badge, or the door won’t recognize you. When you put the technical safeguards on top of the visual ones, it’s much more effective.”
And guards can’t be overly polite with people who enter and claim their hands are too full to pull out an ID, August says. “A Starbucks cup is the universal hall pass,” he says. “You can’t be evil; you have a coffee. … That approach falls apart completely where the building is small enough that people know each other, though. Unless you have a good story, you’re not going to get very far.”
Other employees need to be aware as well, August says. “If you don’t know somebody, ask them,” he says. “You do it in a friendly way, but you can raise awareness that some people do try to sneak in.” That enables the person to determine, “Are you who you say you are? Is that a real badge?” John Muir Health does annual training but also mixes in more frequent reminders like articles in weekly newsletters, which in some cases include vignettes about actual experiences that employees write, he adds.
Memorial Healthcare has been ramping up training on tailgating, Hauk says. “We’re trying not to put the handcuffs on people and impede upon the business that needs to occur. We’re trying to make it as smooth as possible without sacrificing safety and security for convenience,” he says. “It goes back to explaining from square one the whys behind our programs, processes and procedures. We want everyone to understand the vulnerabilities they create when they” allow someone in without an ID. “Our staff has become a lot better. If they don’t see a badge on somebody, and they don’t know that person, they’re not asking the question of the person themselves. They immediately report it to public safety.”
That includes paying special attention to people in the parking lot who seem to have been sitting in their vehicles for unusually long periods of time, Hauk says. “We’re making sure we’re checking up with those folks, that they don’t have something else in mind,” he says. “Our officers are trained to utilize an approach that’s security-related but done with a customer-service touch: ‘I see you’ve been here for a while, is there anything I can help you with?’ Usually the answer is no, and then they start up their car and leave.”
Warren recalls an incident in which individuals were showing up at hospitals in California asking where their nuclear laboratories were located. “They didn’t appear to be dressed as employees, they didn’t have ID, they were asking specific questions,” he says. “Why was someone asking where the hot lab is, unless they were trying to get there? They have nuclear isotopes that you could use for all kinds of bad things.”
Bad actors use all sorts of pretexts to gain entrance, Warren says. “They want to get into the building so they can get to that server or get to those drugs,” he says. “They know their target. That’s why it’s so important that we get information in a timely manner. It’s not just the absence of an ID – if something just doesn’t seem right, even if that person appears to have an ID, there’s nothing wrong with calling security to verify that ID. It might be that somebody threw their visitor ID away in the trash, in the parking lot, and I slapped it on my chest.”
“You have a culture of caring, and a culture of wanting to help. That goes right up against the reality of theft, crime and fraud,” August says. “There’s a lot of well-intentioned people, and they’re going to err on the side of caring, as opposed to being critical. They want to believe the world is a better place than it might be. My job is to educate them, not scare them, but give them a little bit of reality in a way they can tolerate. I leverage real examples every chance I get.”