Hospitals and healthcare centers face a wide range of security challenges. As a result, they invest heavily in physical security systems designed to protect their patients, staff, property, and data. But despite all the resources poured into these efforts, most healthcare providers fail to leverage these systems to their fullest potential – opening themselves up to even more risks.

Hospitals are a lucrative target for cybercriminals

One of the greatest emerging threats to the health industry is cybercrime. And while IT teams possess many tools with which to tackle these kinds of attacks, physical security devices are very often an easy “back door” into the network, as they aren’t covered by IT solutions – yet they’re still connected to those very same networks.

Of course, cybercrime is on the rise across all industries. According to a 2021 report by Convergint, in that year alone cybercrime increased by 43%. Ransomware crimes have been identified as the greatest threat, causing over $70 billion of damage in 2021 – a figure that is expected to rise to no less than $265 billion by 2031.

Alarmingly, the healthcare industry suffers from more ransomware attacks than any other sector.

This is also true for cybercrime in general. As of 2020, more than 90% of all healthcare organizations in the U.S. had reported one or more cybersecurity breaches in the previous three years

But it’s not just the frequency of the attacks that’s so alarming – the average cost of a hack or data breach in the health sector is higher than in any other industry. For example, in 2022, the average cost of a data breach in the healthcare sector was $10.1 million, whereas the average cost of a data breach globally was “only” $4.35 million.

But while IT departments within organizations are usually equipped to confront these challenges, IoT devices – including physical security devices – are often the Achilles’ heel as far as cybersecurity is concerned. 

And when it comes to IoT devices, hospitals stand particularly exposed, given their relatively large number of security devices. A 2019 survey by Genetec put this challenge into even sharper focus, showing that nearly 40% of security cameras are vulnerable to cyberattacks due to known vulnerabilities in their outdated firmware. 

Putting sensitive patient information at risk

As far back as 2017, experts noted that the health sector is seen as a particularly attractive target for cybercriminals, especially because health records are worth up to ten times as much as other personal data, such as banking details

In 2021, data breaches were reported to affect 2,302 medical organizations, costing them $7.8 billion and impacting 19.76 million patient records.

Beyond the financial impact, cyberattacks can pose a serious risk to healthcare organizations. They can put private medical files at risk of being exposed, and they can endanger patients by preventing them from getting the medical care they need. In fact, cyberattacks against healthcare facilities have been found to result in higher mortality rates among patients.

Against this backdrop, compliance is also a serious issue. Precisely due to the sensitive nature of the data they handle, the healthcare industry is subject to a number of strict government regulations. Specifically, the Health Insurance Portability and Accountability Act (HIPAA) includes strict regulations surrounding electronic protected health information (e-PHI). Failure to comply with HIPAA regulations can result in serious consequences – including facilities being shut down altogether.

Physical security will always be a top priority for hospitals

Hospitals, by their very nature, are open to the general public. As with any public facility, the constant flow of people going in and out – from medical and other staff to contractors, visitors, and of course patients – presents a clear need to invest in physical security.

But beyond that general challenge, hospitals have their own unique security risks. For example, medical professionals suffer from more workplace injuries due to violence than any other profession. That problem is only getting worse; according to the International Association for Healthcare Security and Safety (IAHSS), the rate of violent crime increased by 47% at U.S. hospitals in 2021. 

And it’s not just violent crime. Non-violent crimes like theft and vandalism are also a common and growing problem at hospitals worldwide – whether targeting medical equipment, drugs, vehicles or other property. The same study for example showed a 40% increase in burglaries, 16% rise in thefts, and 8% increase in vandalism at US hospitals over the same time period.

Accidents – sometimes resulting in serious injuries – are also a challenge that hospitals contend with on a regular basis, and can result in costly lawsuits. For a sense of perspective, according to the United States Department of Labor, there were 221,400 work-related injuries and illnesses recorded at U.S. hospitals in 2019. That’s a rate of 5.5 work-related injuries and illnesses for every 100 full-time employees.

Are your physical security devices properly maintained?

To counter these risks, hospitals invest heavily in physical security infrastructure – from video surveillance to access control, metal detectors, alarms, intercoms, and more.

But installing such systems is just the first step. Physical security devices require constant management and maintenance throughout their life cycle to stay operational.

Yet data have shown that this is often not the case. In fact, in the average organization, 4% of physical security devices typically get disconnected from their network in a given week. For cameras specifically the problem is even more acute, with 6% of cameras getting disconnected from their video management system during a typical week.

But that’s just the tip of the iceberg. According to the same report, in the average physical security environment:

• 8% of devices are misconfigured.
• 70% are running outdated firmware.
• 15% of devices have reached their end of life and are therefore no longer supported by their manufacturers.

This is clearly a problem. Disconnected, misconfigured, or obsolete devices just won’t do the job they were installed to do. 

It’s time to change the way hospitals manage physical security

The shame is that most of these issues – from offline and misconfigured devices to cyber vulnerabilities – are avoidable, and stem from a simple lack of regular maintenance. 

For example, research shows that password-related attacks are commonly carried out on physical security devices due to unchanged manufacturer-set passwords and poor password security practices. This is because many physical security teams never change their devices’ default credentials, and when they do they often opt for weak passwords that are easy to guess. Very few organizations carry out thorough password rotations on a regular basis, as they should.

It’s important to note that physical security teams are actually not to blame for this situation. They have been put in an impossible position. Physical security teams numbering just a handful of individuals with limited resources are responsible for ever-larger and more complex infrastructures of devices, management systems, and network dependencies. It just isn’t possible to manage them all.

But with the physical, cyber, and financial threats to hospitals rapidly increasing, it’s clear that radical change is needed. The alternative is leaving our hospitals increasingly exposed on all fronts.

So what’s the solution? Clearly, not to double down on the manual management and maintenance of physical security devices. Only an automated approach can truly address the mammoth task facing the healthcare industry.

How can an automated approach to managing physical security devices help healthcare facilities stay protected from threats – physical or otherwise? Check out this case study to find out.