Healthcare Cybersecurity Best Practices: Don’t Forget About the Physical Side of Digital Security

[checklist]

Like many other market sectors, the healthcare world was forced into cybersecurity adjustments and advancements by the COVID-19 pandemic. For example, it was suddenly not a good idea to use touchscreens and keypads to identify users and gain access. At a blinding speed in some cases, IT professionals have worked to deploy new solutions — some of which had been in process already or were being used in other industries and some were completely new.

 

With these technology advancements, it has become more important than ever to identify physical and digital/logical security weaknesses and be proactive about mitigating them to keep staff, patients and visitors (and their personal data) safe.

 

Evolving cybersecurity best practices are especially important in healthcare settings, because hospitals and other healthcare venues are technology-heavy, super-sensitive to privacy, and carry unique potential for harm when technology fails.

 

Jeff Broz, Prime Communications Inc. VP of Infrastructure Operations, pointed out that these concerns are particularly important in the growing world of the healthcare Internet of Things (HCIoT). “There is typically a well-established process for adding new devices to an enterprise network. The challenge is that the technology is changing so quickly, that keeping up is a daunting task for the IT security team.”

Healthcare cybersecurity: What could go wrong?

“When critical systems are compromised, not only is the data within those systems at risk, but the care team is impacted by forcing alternate workflows to ensure the quality of care and patient safety are not impacted.”

Jeff Broz, VP Infrastructure Operations, Prime Communications, Inc. Tweet

Some cybersecurity breaches are legendary in the healthcare world. For example, ransomware attacks and hacking through environmental controls. In a worst-case scenario, a nefarious actor can take down an entire network, locking users out or injecting viruses, causing gaps in patient monitoring and care.

Especially with some of the beefed-up collaboration technology being used through the pandemic to electronically replace in-person patient and family touchpoints, an increased number of potential breaches can deprive caregivers of access to vital information about their patients.

“It is pretty straightforward,” Broz said. “When critical systems are compromised, not only is the data within those systems at risk, but the care team is impacted by forcing alternate workflows to ensure the quality of care and patient safety are not impacted.”

This healthy fear of gaps in care have even led to an unhealthy avoidance of updating systems for some organizations. However, using legacy systems with only-partially-effective updates eventually results in more potential cybersecurity issues and — you guessed it — gaps in a hospital’s control over care. When word gets out about gaps in care, it can affect an institution’s ability to maintain its reputation and compete against institutions that allocate time and money to proper updates and upgrades.

Increased use of smart devices complicates cybersecurity, Broz pointed out, because they often do not include embedded security when they are acquired and implemented. This can lead to human error, from poor configuration to incomplete user protocols. It’s great to have devices such as smart pumps available to monitor distribution of pharmaceuticals, and many healthcare institutions have implemented them. However, do IT teams really understand the vulnerabilities that come along with such devices?

This matters in part because hackers are getting smarter. A number of breaches have occurred in recent years through laptops accessing environmental systems. IT and security staff now have a better understanding of how those breaches happened, but for a variety of reasons they don’t always take comprehensive steps to mitigate such possibilities in their own systems.

 

According to a Verizon data breach report, 59% of healthcare institution data breaches come from internal actors, whether intentional or unintentional. This often happens due to problems with un-segmented networks or missing security controls. In cases where damage is intentional, it can happen because credentials are too easy to steal, among other things.

Of course, if you oversee security or information technology in a healthcare institution, you have no doubt done your research and know all of this. If you are like many organizations, you have put cybersecurity protections in place and you are ready for the next attack. However, also like most healthcare institutions, you may have forgotten about or too-lightly addressed one particular area of cybersecurity: physical deployment and maintenance.

Broz puts in a nutshell just how critical physical security is to cybersecurity: “All of the sophisticated, deep cybersecurity protocols, software and processes you implement could be taken down in an instant if a bad actor gains access to a server closet through a door left ajar by third-party technician.”

Bones of an effective cybersecurity plan

Any institution’s cybersecurity plan includes a myriad of small security mitigations protecting the many parts of the system. However, without a well-thought-out, comprehensive structure to support full security coverage, all of those small solutions still could leave your organization vulnerable. Just as a building needs a framework to hold up the walls (the bones), a cybersecurity plan is the framework that holds up a system’s components.

An effective cybersecurity plan begins with assessment of every component in your system and every potential security breach scenario. Your assessment should include determination of physical ways bad actors could access systems (e.g., through unlocked doors), or where inadvertent actions could compromise the system (e.g., accidentally activating on/off switches). A comprehensive risk assessment should be created before any new components are purchased or programs are put in place.

The bones of your cybersecurity plan should follow emerging standards, including ever-changing best practices for encryption, data tracking, human error mitigation, awareness programs, and incentives for reporting phishing, for example. “Part of establishing digital security in a healthcare institution is knowing what the most current standards are and understanding how to follow them,” Broz advised. He said many institutions lean on third-party experts. However, if your team members are not already, they should get on the mailing lists of cybersecurity industry organizations, such as the Healthcare Information and Management Systems Society, Inc. (HIMSS), so they can receive timely updates and tips. Even with reminders from experts, Broz suggested many companies are forgetting about the physical side of digital security.

We’ve included a checklist of some of the most easily forgotten physical aspects of cybersecurity at the end of this article to help flesh out your cybersecurity plan. 

Overall, an effective cybersecurity plan must:

  • Include integrated digital and physical cybersecurity solutions pathways (“You can’t have one without the other,” Broz said.)
  • Take into account how your healthcare cybersecurity initiatives will affect profitability and other aspects of your institution, including efficiency, staffing and budgets
  • Identify unsupported legacy systems and realistically determine when the potential for ongoing vulnerabilities outweighs the costs of upgrading
  • Account for third-party devices that will be connected to your network by patients, families, employees and contractors — some exposure through third-party devices is intentional and some may be unintentional
  • Incorporate partnerships with trusted third-party service and equipment providers who know the specific business of healthcare cybersecurity
  • Prioritize to ensure that the most important, or most foundational, aspects of cybersecurity are managed first
  • Include an incident response plan, so your team knows exactly what to do when a breach happens
  • Outline built-in protocols for continual testing and updating your healthcare cybersecurity systems without any gaps in care
  • Integrate input, needs and concerns from other teams in the organization and align with high-level organizational goals and processes
  • Include detailed steps for continual training, information sharing across departments, and plan updating

Healthcare venues present unique, and oftentimes critical, potential cybersecurity issues. Most hospitals and other healthcare institutions hire experienced, educated inhouse information technology and security professionals who know how to create and carry out a plan. The key is to make sure your professional staff is given the time and resources for proper planning, implementation and management of cybersecurity — including ensuring comprehensive coverage, with no gaps, by addressing the physical side of digital security.

Physical Cybersecurity Plan Checklist

For more information about or assistance with both the digital and physical sides of your cybersecurity plan, contact Prime Communications Inc., 402-289-4126 or sales@primecominc.com.


One-of-a-Kind Virtual Patient System Saves Time, Money and Exposure

Virtual Patient Interface Unit

Virtual Patient Interface Unit

A global pandemic has a way of bringing old issues into the spotlight. In the healthcare world, one such issue is patient monitoring, a task that has become even more challenging in recent months. But a unique Virtual Patient Interface System (VPIS) from Prime Communications, Inc. can solve many patient monitoring woes by providing safer, less expensive patient interaction while making care more efficient, safe and comfortable.

Since the beginning of 2020, COVID-19 has intensified concern in hospitals about contagiousness for all patients. This meant using increased amounts of personal protective equipment (PPE), such as masks, gloves and gowns – at an added cost. In addition to the burden of increased cost, the doffing and donning of PPE for even the most basic tasks in patient rooms eats up valuable time. Now, PPE supplies are dwindling, which could increase risk of exposure for medical personnel, as well as patients and their families.

One of Prime’s customers asked for help to solve these problems. The VPIS was Prime’s answer. It can eliminate the need for PPE in many situations, so existing protective gear lasts longer and everyone stays safer and healthier.

The VPIS is a highly mobile, compact system equipped with an adjustable pan-tilt-zoom (PTZ) camera and a pole-mounted video screen.

The camera allows staff – from outside the room – to visually examine patient IV connections, fluid levels, monitors and other room conditions. It can pan 360 degrees and zoom in close enough to read small print, if needed. This same type of camera has been used by security teams to monitor large parking lots, which gives an idea of its power, especially in the smaller venue of a hospital room.

The vertical-format VPIS screen provides two-way audio and visual communication between the patient and staff. The patient can see caregivers’ faces on the screen at an almost lifelike size and speak with them as if they were in the room.

Putting this wireless system on a lightweight mobile cart gives it the kind of flexibility traditional hard-wired systems don’t have — and the setup is much quicker and less expensive to deploy.

Reducing PPE Usage to Save Time and Money

As a result of heavy demand during the pandemic, PPE costs have skyrocketed — in some cases by as much as 1,000% compared to 2019. This means hospitals have had to rethink how they use the PPE they have more efficiently without negatively impacting patient and staff safety.

The VPIS allows personnel to perform simple patient care tasks with no need for staff to put on PPE and physically enter the room. Because they can check monitors and fluid levels easily using the PTZ camera and interview patients from a remote location, staff can easily monitor multiple rooms and check on groups of patients in record time.

These time savings can add up significantly, allowing medical personnel to address more important problems and get more done during their workday, potentially even reducing the need to hire more employees during the pandemic.

Increasing Safety by Reducing Physical Interaction

Of course, even with proper use of PPE, there’s still a chance patient interaction could result in medical workers contracting COVID-19 and other infectious diseases — and the more infected workers you have, the fewer there are to care for patients. One study of a SARS outbreak in Toronto in 2003 showed that over one-third of the infected were hospital staff (https://www.cmaj.ca/content/169/4/285.short).

And there’s patient risk, too, because caregiver interaction, even with PPE, could expose them to COVID-19 and other diseases. Healthcare-associated infections (HAI), as they are called, are common. The CDC reports that on a given day, an average of 1 of every 31 hospital patients is suffering from an HAI (https://www.cdc.gov/hai/data/index.html).

It’s impossible to care for a patient with no contact whatsoever, but if select simple tasks and interactions can be carried out remotely, it lessens the chance of exposure to pathogens.

With the VPIS’s camera and screen, the patient remains comfortable in bed while medical personnel provide information and ask questions from outside the room. Friends and family also can make use of the technology from the remote monitors, visiting with the patient without putting themselves or the patient at risk.

The system can even help with recruiting. Healthcare workers weary of wearing PPE and worried about exposure may seek out institutions that offer creative ways to address efficiency and safety.

Versatile and Easy to Install

Traditional hard-wired video monitoring and call systems are common in medical facilities, but installing the technology is expensive and time consuming, and the equipment is not very flexible.

In contrast, Prime can roll out a virtual patient interface system in minimal time. The devices are plug-and-play and extremely easy to use. The cart and software are shipped to your medical facility practically ready to go, and user training is conducted remotely.

The highly mobile system is adaptable enough to fit nearly any healthcare situation. It can be moved easily where needed without having to relocate a patient. If a facility wants to add more carts, it’s easy to scale up without the costly, time-consuming, disruptive (and potentially risky) construction processes required to implement traditional wall-mounted monitoring systems.

Existing Technology Put to Best Use

A major global health event, such as the recent novel coronavirus pandemic, can put pressure on healthcare personnel in alarming new ways. Solutions are needed fast – and simplicity is a must during this type of crisis to remove the obstacle of “bugs in the system” we are used to dealing with when technology is new. Prime took stock of technologies they have already deployed many, many times to find a solution for their healthcare clients, and the VPIS is the result.

Does your healthcare facility need to solve for a PPE supply problem or an infectious diseases exposure challenge? Ask us how the VPIS might apply to your situation – and how other existing technologies could be refitted for your needs. An experienced full-service integrator like Prime can provide innovative, efficient, easy-to-deploy solutions that allow your staff to get on with the business of providing the best care.

For more information on the virtual patient interface system visit: https://primesecured.com/virtual-patient-interface-system

 

 

 


Keeping People Safe: The Critical Role of DAS in Emergency Communication

In the last decade, a series of disasters – from the terrorist attacks of 9/11 to school shootings – has put a spotlight on the need to upgrade communications technology for the sake of public safety. Emergency medical personnel must be able to reach one another in the heat of a crisis. Victims must have a way to let loved ones know they are okay. Phones and radios can even help responders find those who have been hurt.

Prime Communications, Inc. helps assess and install new public safety Distributed Antenna Systems (DAS) as well as cellular service amplifiers. We also work with clients to evaluate existing systems and determine whether they can be upgraded or replaced.

“Existing systems may not need to be updated to ensure an occupancy certificate, and it’s tempting to just let it go because it’s hardly ever used,” said Ron McNichols of Prime. “But most organizations want to make sure everyone’s safe in an emergency.”

This article will help you understand some of the issues you may find your organization facing and solutions you might apply to improve both public safety DAS and cellular service in your own building.


Essential Healthcare Projects: Meeting Challenges During a Crisis

In a major healthcare crisis, hospital administrators are called on to ramp up technical systems quickly to meet critical needs. At such time, certaiservices are designated essential personnel, including those who implement medical infrastructure, networking, patient monitoring and nurse call systemsDuring a crisis, as with other types of workers, some of the regular contractors will likely go absent due to illness, fear, or quarantine requirementsWhen that happens, administrators must quickly find reliable contract vendors to fill the gaps and keep systems going 

This article provides important information and advice to ensure the successful selection and onboarding of contract technical personnel during a healthcare crisis. 


Low-Impact, Secure Medical Equipment Deployment in Critical Hospital Settings

Imagine this: A technician is working within the NICU unit of a Midwestern hospital. As he begins uploading patient monitoring software in one of the rooms, the patient and her family are ushered in. The family is visibly distraught. During this very private, devastating moment, the technician must make a series of decisions. Should he stay and continue uploading software? Should he offer condolences to the family? What if someone asks him for a drink of water from the sink behind his ladder? If he must stay in the room to complete a critical software upload, what does he need to do to remain professional?

In a situation such as this, both the manufacturer of the equipment being installed and hospital personnel are highly invested in the behavior and demeanor of the installer. The consequences of a technology installer’s performance and its impact on the patient experience can be serious— even life-threatening.

Installing, maintaining and upgrading technological devices within critical medical settings is an art, and not every technician can provide the soft skills needed. This article offers insights and a checklist to help ensure low-impact technology deployment in medical institutions.