Today, I’d like to talk a little about hospital network security and point to a story about a hospital incident in which three key principles of hospital network security are illustrated.
As you may know, technical controls are sometimes illustrated with physical descriptions in order to help the non-technical person understand the concept. A firewall, for example, existed as a physical representation that everyone understood to be the wall that stopped a fire from moving through a building. This term later illustrated the purpose of a technical device blocking unwanted traffic from the Internet.
Last fall, at San Francisco General Hospital, an incident occurred in a very real and consequential way when a patient went missing and was found 17 days later after having passed away in a rarely used exterior hospital stairwell. So many of the hospital procedures can be applied to technical matters to illustrate how security principles operate and contribute to efficient business operability.
One of the key components to proper network security is continuous monitoring. If the hospital had included the stairwells in a regular walk-through of the grounds, the patient would have been recovered. Too often, companies leave gaps in the areas that they monitor. Too much emphasis is placed on perimeter network monitoring but they don’t monitor internal systems because they are, well, internal. This method is faulty because you miss critical events that are right under your nose. Another common occurrence is that network event logs are gathered but no one looks at them in a timely fashion. Regular monitoring of all critical points within an organization is imperative if you hope to identify important event before it’s too late.
Another issue illustrated in the story is the need to have proper training and maintenance of security controls. When the patient went missing, the hospital eventually checked the security video footage. However, when they tried to access the footage, it was not working and had to be sent out to a vendor for repair. If a company invests in key security controls, such as video monitoring and proximity card readers, their working order should be verified daily. It is too common to discover that a tool installed for its intended purpose is not utilized properly and staff is not trained to operate it. Perhaps if the footage had been available, the patient’s location could have been determined sooner.
Another important security issue that was paralleled in this story is a properly working incident response plan, with appropriate follow-up procedures in place. Had the hospital had proper procedures in place in the event of an incident, then it wouldn’t have taken nine days for the first grounds search to be ordered. After the incident was reported, not all personnel were properly briefed, also causing delay in resolving the issue. The hospital personnel also failed to escalate issues as they were reported. Employees had reported that a person was seen and noises were heard in the stairwell, however, the patient was still not found for four more days. Companies should conduct periodic incident response drills in order to test escalation procedures and reporting procedures. The failure to test these procedures usually contributes to delays when real-world incidents occur.
Don’t wait until an incident strikes to realize your network security measures aren’t adequate. Be proactive in your incident response plan and maintain current and relevant policies and procedures to avoid an incident like this one. Email me at firstname.lastname@example.org for help regarding improving your security measures.
Sarah Morris is the Managing Editor at KirkpatrickPrice, a valued partner of AIS Network. She is certified in General Information Security Fundamentals (GIAC GISF) and specializes in keeping organizations up to date on information security and regulatory compliance by being a thought leader and developing valuable content that revolves around industry trends and best practices.