A late 2018 survey of College of Healthcare Information Management Executives (CHIME) members showed physical-cyber security integration to be a critical or important topic for 75% of the healthcare IT leaders who responded. However, data from physical access controls is not being collected, analyzed, or correlated with network security at a majority (75%) of the organizations[i].
The lack of integration is due to the fact that physical security and cybersecurity are managed by different groups with unique sets of controls. Typically, network operations looks at network security, information security looks at data at rest and data in transit, and physical security looks at surveillance and access control. Network operations and information security are often combined into one information security department, which operates separately from the facilities department who traditionally handles physical security.
Organizations have separately grown a physical security team under the facilities department because it’s more facilities oriented, and network and information security naturally fell under IT. Since this is how the departments organically grew, many of these groups remain separate.
The siloed approaches to physical security and cybersecurity that exist in most cases can leave an organization with a heightened exposure to breaches. In this blog, I will review the potential for more integrated solutions, the benefits that can be gained, and the steps you can take to achieve integration.
Four Potential Integrated Solutions
Securing the Network
One form of physical-cyber security integration that some are pursuing is tying building access to network access as a form of multi-factor authentication. What this means is that employees wouldn’t be able to access the network unless they have already used their badge to access the facility. This is a form of multi-factor authentication because the person, even though there are two different identity systems within the organization, would need to be in a physical location before accessing the network. If a bad actor was trying to break into a network, he wouldn’t be able to without also finding a way to penetrate access controls into the facility.
Protecting the People
An identity management system is a great solution for protecting your people, protecting their identity, and ensuring that system access rights are not compromised. Some organizations have moved toward one identity management system that enables them to control access to all assets, physical as well as cyber.
Securing the Data
Another potential integration solution is keeping data in a single location with a single access management system. We see a lot of organizations with a few different locations for their data, which is sometimes necessary, but minimizing the number of locations with data can greatly improve your physical and cybersecurity. With data centralized in one location, it becomes easier to protect and defend the one area where all information is stored.
Securing the Facility
Lastly, restricting physical access using IT systems can be an effective way to secure your facility. Restrictions can be based on a number of criteria, including role, location, and time of day. As an added layer of security, there are even solutions that are based on a combination of the employee’s role and the office location. For example, an employee may not have the ability to turn on certain lights or change the thermostat based on the time of day and specific room.
The Benefits of Integration
One of the principal benefits of integrating physical security and cybersecurity is cost savings. By opening the lines of communication between your facilities team and information security team, you are more likely to identify instances where one team has a mitigating control in place that eliminates the need for the other team to invest in implementing a different control. Additionally, the two teams can collaborate to prevent any unexpected costs with a new security investment project. For example, if you’re acquiring cameras, early dialogue between the facilities team and the information security team about the software that’s needed to manage the recordings and the required locations of the cameras is key.
In addition to cost savings, there’s a greater chance that the project is going to work efficiently because the two teams have a good understanding of each other’s needs and expectations. Improved efficiency will translate to a stronger overall security program and a better outcome for your organization.
When an incident occurs, you are more likely to have a quicker and more effective response if the two teams work in conjunction with one another. You’re able to respond to problems faster, leveraging existing investments.
Integrating physical security and cybersecurity also reduces risk. With data related to a cyber risk flowing to your facilities team, you are in better position to take the appropriate steps to manage that risk from a physical perspective and vice versa.
How to Achieve Integration
As we know, it’s not enough to simply outline areas of integration and the expected benefits. How do we make sure that our physical security and cybersecurity teams are working together? First, leaders really must facilitate this collaboration and ensure that both teams are brought into the discussions throughout every step of your projects. Physical security and cybersecurity teams will be able to anticipate dilemmas or help in the project through the entire way if the appropriate team members are brought into the conversation and not just bolted on at the end.
Security should not be important to only one level of the organization. It needs to be important to everyone. Bringing conversations to a level that everyone can understand is critical for everyone to buy in and understand what is expected of them. Incorporating all members of an organization into conversations about security can assist in the understanding of how to approach cybersecurity and physical security to benefit the organization.
Lastly, recognizing all stakeholders in a project and getting their input is critical to decreasing costs, increasing efficiency, and achieving other intended benefits.
In Summary
Bringing physical security and cybersecurity teams together to build strength in your organization is critical. An integrated security architecture offers a foundation for connecting the physical and cyber worlds through intelligence sharing, visibility, control, and automation. From improving medical device security to conducting due diligence on potential acquisitions to setting up a new care facility, there are countless scenarios where an integrated approach will reduce your risk exposure and serve you well.
[i] https://www.fortinet.com/content/dam/fortinet/assets/brochures/brochure-healthcare-chimes-survey.pdf