Expectations are that the global healthcare market is to pass the US$2 trillion mark in 2020. In South Africa, however, we still struggle with the high costs of private healthcare and the poor services available (and sometimes not available) in public healthcare services.
The global healthcare market has had to adapt to new security demands that cover everything from physical security solutions to prevent unruly behaviour, theft and fraud, through to cybersecurity solutions to meet the demands of keeping health information private and to counteract the more recent spate of ransomware that has hit hospitals – a traditional terrorist tactic of hitting the weakest targets to have the greatest impact.
However, healthcare organisations are under as much pressure as any other company to make the most of their budgets, and as such they are looking to get the most out of every investment they make in terms of security. Organisations with competent management are therefore looking for more than a camera, access control or cybersecurity solution, they want security systems that can do more and assist in daily operations.
Hi-Tech Security Solutions asked a few local security operations to join us around the table to discuss the risks and solutions available to healthcare organisations today. In an effort to get a holistic view of the security posture of hospitals, we invited people in both the cyber and physical security realms. Our guests were:
• Lukas van der Merwe from T-Systems.
• Moshe Blieden from Axis Communications.
• Tim Yen from Hikvision South Africa.
• Quintin van den Berg from Bosch Building Technologies.
• Juan Joubert from Trend Micro.
With such a broad range of expertise in the room, we asked the attendees to start by highlighting what, in their experience, are the primary security concerns in healthcare organisations today.
Trend Micro has a number of customers in the healthcare industry, and Joubert says a major concern is ‘devices’ in hospitals and clinics. By this he means any devices that can connect to the network, from personal smartphones, tablets and laptops, through to other devices used to support the functioning of the organisation or used by personnel in their personal capacity.
The problem is that, as noted, these devices can connect to the network without adhering to the security standards set by the IT department. Not only does the organisation not know about these devices, but they are often not secured and IT can’t always install security software on them because they may not run on an operating system the organisation supports. In addition, devices not under the control of the organisation may not be maintained properly and have the latest firmware updates or security patches installed.
And while access to IT resources is a risk, Joubert also notes that we often see physical access control failures in these institutions that allow people to freely access places they should not be allowed in – the maternity ward or ICU being examples of this. He adds that this lack of physical access control extends to the IT arena as well.
He adds that most users are mobile, especially in the medical industry where moving around is standard. When staff using mobile technologies, and then use them at home, they don’t have the same security processes in place and they become an easier target. It’s important therefore for users and healthcare administrators to ensure that mobile devices are locked down and secured to avoid attacks via a soft target like the user’s home or the free Wi-Fi at a coffee shop etc.
Building on what Joubert said, Van Der Merwe notes that another issue is that many vendors of electronic systems aimed at healthcare institutions are starting to lock down their devices to the extent that active or passive interrogation of those systems is prohibited. This means that security scans or updates can’t be applied.
It’s understandable in the current cybersecurity climate that these vendors are nervous about allowing access to their systems – what if something goes wrong and a patient dies as a result? At the same time, Van Der Merwe notes that it also makes centralised management of devices more complex. And he says there are also those vendors who make little to no effort to secure their systems, which is even more risky for healthcare environments, especially those without their own internal technical skills base.
Van Der Merwe agrees with Joubert about the lack of access controls. Hospitals, for example, are not like corporate environments where everyone working there has their own login identity and their own devices through which they access the network. Computers are often shared and in a busy environment or in a crisis, people are disinclined to log out of someone else’s account and log in as themselves – they simply want access to what they need to do their job.
Yen says that the risks associated with hospitals and clinics is that these are institutions that need to be open to everyone and are not allowed to turn people away, yet they are also increasingly becoming targets. So security technology must be almost invisible to allow the free flow of human traffic, but still function effectively to protect the assets within, be it people, drugs or expensive medical equipment.
The issue of privacy
Privacy has become an issue of global concern, especially in the IT environment where many companies and countries seem to be focused on revoking any privacy rights, but it is also an issue in the physical security environment. Blieden notes that surveillance operations are also under the privacy spotlight and this has led to the development of features such as Live Masking.
Live masking blurs people as they move about under the watchful eye of surveillance cameras. This provides people with some privacy, but also allows authorised security personnel to see what is happening during an event and take action. Blieden says this is a great option for dealing with ‘slip-and-fall’ issues or theft of drugs and so forth, making it a good option for hospitals
And while on the issue of privacy, Van Der Merwe adds that hospitals need to understand the stipulations of GDPR as they will treat EU citizens and their data must be handled in accordance with these regulations. Of course, when the POPI Act comes into force, this will require similar data and security processes.
Efficient data usage
The efficient use of data is a concern for Van Den Berg. He says hospitals have access to enormous amounts of data from various security systems, like surveillance cameras, access control and intrusion systems, but they are not making efficient use of this data. He provides an example of an emergency entrance where an ambulance arrives only to find someone has parked in the wrong place and is blocking its access. Similarly, false alarms are also a challenge when people are in ICU or surgery.
He explains that making use of live data for more than security is not only critical for the efficient functioning of these environments, but the technology is already available, but rarely used to provide live ‘flows’ of information to hospital administrators.
So many operational issues can be simplified by using data and technology already on site, according to Van Den Berg. For example, recognising a car parked in the emergency lane and alerting security; basement flooding can also be recognised early by setting a camera to monitor the level of water in the basement and, again, send out an alert when it is detected. These alerts can be sent to mobile devices where an app can even advise the recipient of the procedures to follow to resolve the situation.
But there is also the problem of too much data that is of little or no use. In the past, the trend has been to install more cameras in the hopes of improving security and collecting more useful data. This is not the correct approach to take, Blieden says. We should be making use of more intelligence from the cameras we have to deliver useful information that can be acted upon instead of installing more cameras. In the future, hospitals will have video surveillance cameras that will capture data continuously to assess risks, generate automatic alerts, streamline processes, and analyse large volumes of data with surgical precision.
However, Yen says that Hikvision has found healthcare companies are generally unaware of the potential of intelligent analytics and how it can help them. The vendors need to assist them in understanding the additional benefits they can obtain from their surveillance, apart from simply video images.
As a simple example, he refers to one hospital that had a guard permanently stationed in a basement parking area to ensure that nobody parked in the areas reserved for ambulances and other emergency vehicles. This is obviously a waste to time. Hikvision replaced the guard with a camera with ANPR (automatic number plate recognition) and this now alerts administrators when an unknown vehicle parks in the wrong spot. This alert can also be sent to the guard, who has been assigned more useful tasks.
Blieden adds that, as we know, security is still a grudge purchase. Therefore, he believes that if security can be made a benefit to the business, being able to help the business in various areas in addition to security, the grudge mentality can be overcome due to the additional benefits the solutions provide. As an example he says queue monitoring or people counting functions (among others) can be provided to hospital management as business intelligence to assist in making decisions.
He also notes that when it comes to budgets, adding ‘non-security’ value often allows budgets from other departments to be used in paying for the solution.
Basically, it’s all about how you use the data you collect on a daily basis. Van Den Berg says that today organisations can integrate technology from multiple vendors into a single management platform. The healthcare organisation can then build its own management dashboard, or various dashboards tailored to the scope of work the user is tasked with, to reflect integrated information that is analysed in near-real time and delivered to the right people when they need it.
This delivers a more efficient and productive environment, even in a hospital scenario where erratic situations are the norm. And with the learning capabilities of technology today, each situation can be included in future analysis to ensure better outcomes.
Amid all the talk of artificial intelligence and deep learning today, what it’s really about is how one uses the data and business intelligence insights delivered in a manner supportive of all the environment’s operations.
It’s worth noting that although many people still see physical and logical security as separate domains, the lines between the two are blurring. Blieden explains that the two can’t exist without the other as they rely on each other to ensure the holistic security of the organisation.
Yen adds that the physical security teams can only ensure their systems are secure, for example via encryption in transit and ensuring their cameras are secure, but they rely on the networks and IT systems from the logical side to work efficiently. At the same time, the physical security teams rely on the IT systems to be secure, once again to ensure the holistic security of the IP systems installed.
Bosch’s trusted platform approach goes even further in ensuring that the physical security setup is secure, according to Van Den Berg. The security processor in Bosch cameras, for example, ensures that data is encrypted and that cameras and recorders can’t communicate with each other unless they have exchanged security certificates to prove they are who they claim. Of course, the same principle needs to be applied to all the IP devices on the network to ensure full data security as one weak link is all that is required to compromise the whole system.
An example of the interoperation between the two teams is provided by Joubert. He says Trend Micro, for example, can provide a data-loss prevention (DLP) solution to a hospital, but the easiest way to overcome these restrictions is for someone to take a photograph of the data with their cellphone. Modern access controls and surveillance analytics can be programmed to detect this behaviour and raise an alert that something unusual is happening.
Technology enforces policy
In a world where it seems technology is the answer to everything, Van Der Merwe makes the point that many often forget, namely that technology is there to automate and enable the policies and processes an organisation has developed for its security and/or operations. A significant problem in the South African market is that these policies are either not in place, not understood, or they are not being enforced. The best technology won’t help in that scenario.
To make technology work, in any industry, and in order to benefit from the combined physical and logical security solutions out there, he says the policy needs to be in place and agreed upon. Once the policy is in place, the technology is there to make it happen. However, if there is not a drive from board level to address security, it’s going to be a problem.
When one considers ransomware, which has targeted hospitals the world over, in some cases leaving the organisations unable to admit patients because their systems were unavailable, Van Der Merwe says it certainly becomes a board-level issue and is about far more than simply losing money. Ransomware is one of the most sinister threats South African companies face (in fact, any company anywhere in the world), but even more so for hospitals where lives are at stake. We can expect more focused attacks in South Africa in the coming year.
The problem, he adds, is that the majority of the people responsible for making decisions that will have an impact on the security of any organisation do not have the insights required to make good decisions. These individuals are good at running a business, but security has never been a part of any curriculum.
When it comes to ransomware attacks, both Van Der Merwe and Joubert agree that paying the ransom is not the best solution. There are a number of reasons for this:
• Firstly the criminals know you are willing to pay so they will come back for more. You’re only safe until someone clicks on the wrong attachment.
• Sometimes they may not even bother sending the decryption key once they have their money.
• Not all criminals are technically as clever as they think they are and we have seen examples of cases where the victim paid, but the decryption keys did not work.
The best way to deal with ransomware, according to Van Der Merwe, is to restore from backups (offline backups ideally). However, it’s not only about restoring from backup.
If hit by ransomware, a company, including healthcare concerns, can find their entire digital ecosystem is compromised and they will need to rebuild it from scratch. If the organisation does not have a tried and tested disaster recovery plan, the process will take longer and be more complex because of the additional work nobody planned for.
So, while prevention is still key in security, your recovery ability (detecting and responding to an attack) is critical. And, as Van Der Merwe says, at some stage you will be hit with an attack of some sort. Waiting until it happens to try and figure out what to do is too late.
Joubert reinforces that disaster recovery includes the technical team as well as the executive team who has to manage the process and keep the business wheels turning.
Convergence is real
While the logical and physical security departments have been separate, and in most organisations are still separate teams, from the round-table it is clear that the two are working together more than ever. The reality is that security today is more integrated than ever before, primarily due to the cyber criminals out there exploiting anything IP-related.
This does not mean either department is obsolete as they both have skills related to the efficient planning and installation of their solutions that are, in reality, not easily transferable. For example, it’s easy to decide on setting up a camera to monitor the entrance of a hospital, but not that simple to ensure that the camera can handle different lighting situations and that it is positioned to obtain the best images that can be used, for example, for facial recognition. The same applies to using facial biometrics to allow access to restricted areas. While giving authorised staff access to a theatre without having to touch a door is a common example, will the solution work in the glare of the theatre’s lighting?
The commonality today is the shared use of IP networks and, in a growing number of cases, using the cloud as opposed to internal infrastructure. And while IP security solutions have become the standard around the world, this commonality is also the common vulnerability that needs constant attention and protection – and effective protection needs the best efforts of your logical and physical security experts.
While much of the conversation at the round-table can’t be included in a short article, it is clear that healthcare security is a vital concern, whether physical or logical security. These organisations are soft targets and therefore need more than the basic security processes if they are to protect their patients, staff and visitors from attacks, whether they come from the real or virtual worlds.
It is also clear that effective security is not a silo approach, but must be integrated. This integration means a consolidated approach that allows these organisations to see their holistic security posture from a single dashboard, as well as integration with operations to improve efficiencies and overcome the negative ‘grudge purchase’ association with all things security.
Hi-Tech Security Solutions would like to thank all the participants for their time and contribution to the discussion.
For more information contact:
|Tel:||+27 11 543 5800|
|Fax:||+27 11 787 8052|
|Articles:||More information and articles about Technews Publishing|
|Tel:||+27 87 701 8113|
|Articles:||More information and articles about Hikvision South Africa|
|Tel:||+27 11 548 6780|
|Fax:||+27 11 548 6799|
|Articles:||More information and articles about Axis Communications SA|
|Tel:||+27 11 651 9600|
|Fax:||+27 11 651 7811|
|Articles:||More information and articles about Bosch Building Technologies|
© Technews Publishing (Pty) Ltd | All Rights Reserved