Have you ever thought about how different our lives would be if people didn’t cheat, steal or try to destroy property?
Of course, those people will never go away, but have you ever taken a mental inventory of the physical security elements you encounter each day? Just to get to work we encounter numerous locks, gates, fences, turnstiles, cameras, bollards and lighting, all put in place to counter some threat. There are examples everywhere, and we’ve come to take them for granted; we accept it as a part of our daily routine.
Physical vs. Digital Security
At some level, we understand the threat and the associated risks, while we also accept that these physical security controls play an important role in countering those threats. At the same time, these are controls we can see. We experience their purpose. A sign, for example, that says “Controlled Access, Keep Out” is a deterrent to honest people. A sign alone doesn’t actually keep anyone out, but it sends a signal that the area is not intended for general traffic. In a more tangible, analog world, these physical displays of security in action are easy to appreciate. But the world has changed.
We still need to protect our physical property from theft and, as before, we still need to protect our information from theft or misuse. But just a few decades ago our information was mostly presented and stored in a physical format. Books and newspapers are obvious examples. Today, our information (and its movement) is invisible until reconstructed on a computer screen.
Watch Rod Piechowski, MA, senior director, Health Information Systems, HIMSS, share insights into how health organizations are responding to threats with HIMSS TV.
In an analog world, one could ask: “where is the contract?” The answer might be “in the file cabinet” or “in the safe.” The invisibility issue is further complicated when you realize that the concept of “place” no longer exists. Exactly where does our data live? Does its physical location matter? Now think about securing that information.
Could we make this example more complex? Sure! If intellectual property is kept in a physical safe, one would have to be physically present at the same location in order to attempt to steal intellectual property from within. In a digital world, the concept of storage location is fuzzy, but so is the concept of the attacker’s location. With the right kind of knowledge and tools, many of which are freely available, anyone can at least attempt to break into our systems. As the things we are trying to protect become more abstract, the more challenging it becomes to exercise control over where they are and who has access to them.
In the security arena, we talk about protecting the confidentiality, integrity and availability of information. An attack in which information is breached affects confidentiality. Ransomware attacks the availability of the data. Malicious attacks against the integrity of data go beyond causing disruption of processes. If we cannot protect the integrity of data, what becomes of our reliance on computerized decision support? Does that affect patient safety? What about truth?
The Shared Responsibility of Security
While we still rely on physical security to protect against unauthorized access to our buildings or to specific locations within the property, the virtual nature of how information is collected, stored and moved, requires a new way of thinking, especially among staff members whose primary role is not security. It seems only natural then that along with less control comes to need to pay more attention, and the scope of interested parties is greatly expanded. Each of us must be involved in security to some degree. The responsibility is shared, as each of us can become a target for phishing attacks that reach into our personal and professional lives.
I’d argue that the stakes today are higher than ever, and while we must depend on each other to keep a watchful eye open, the very abstract nature of information security makes it a challenge to teach people what to look for.
The chances of security ever returning to a purely tangible concept are slim. Physical security will always be the first line of defense. The technical controls we put in place help address what happens behind the scenes, but pure technical solutions are not the complete picture.
People are the link between physical security measures and those we employ to address the intangible. We must stay aware, informed, and motivated to help secure the information that defines and provides the structure for just about everything we do.
Next time you leave home and lock your door, think about why you do that. That’s why we must all help keep the doors locked on our information systems.
HIMSS Healthcare Security Forum | Boston, October 15-16
Security breaches within healthcare organizations are inevitable, which means being prepared is critical for patient safety and keeping your reputation intact. Join fellow experts and peers for the updates, strategies and connections that will help you create a framework for creating a proactive, resilient security strategy. Learn more and register | Use code PSCOMM to save $200