William S. Marcisz, JD, CPP, CHPA
Cybersecurity certification requirements for healthcare create a demand for certain physical security standards to protect IT infrastructure. Cybersecurity compliance is mission critical to maintaining or expanding market share. The author notes that partnering with IT leaders gives you a unique opportunity to enhance your physical security platform to ensure compliance with cybersecurity certification standards from HITRUST or related bodies. Understanding of HITRUST and physical security requirements for compliance with common security frameworks (CSF) can be leveraged to gain resources for improved access control, CCTV, and intrusion systems, as well as key control.
(William S. Marcisz, JD, CPP, CHPA, an IAHSS member, is the President and Chief Consultant at Strategic Security Management Consulting, Inc. On Twitter: @BillMarcisz.)
Most leaders have heard the maxim, “If you fail to plan, you are planning to fail.” Effective healthcare security directors understand the importance of having strategic security management plans that focus on mitigating risk and avoiding liability. However, security management plans that synchronize, integrate, and align with the objectives of your organization’s enterprise business plan stand a much better chance of enabling you to obtain resourcing for your objectives.
Physical security programs in any industry must embrace the reality that they can no longer operate on separate islands from their information technology (IT) teams, if for no other reason than that nearly all electronic security systems (such as CCTV, access control, and visitor management) operate on and within the framework of your organization’s IT infrastructure and digital platforms.
It is critically important for healthcare security professionals who are writing or updating their strategic security management plans to include IT input and ensure alignment with cybersecurity partners. This is because cybersecurity is the number one criticality risk facing the healthcare industry. You need only check your daily news feeds to see that ransomware and other cyberattacks are on the rise. A hospital’s reliance on the integrity of it’s IT Infrastructure is so totally complete that it is hard to imagine performance of the simplest tasks without this framework being up and running. As such, your hospital’s IT and physical security teams have a reciprocal interest to align more closely to protect the physical IT infrastructure.
COMPETITION FOR MARKET SHARE IS DRIVING RELIANCE ON CONNECTIVITY
Hospitals and healthcare systems are becoming more creative to capture and keep market share. In a concept sometimes referred to as “connected care,” the emphasis is on expanding care options in the community to entice patients and then offer a wide range of services that will draw these same patients to a healthcare system’s network of providers. The end goal is to ultimately direct patients from suburban points of entry to the network’s hospitals for care services that cannot be provided locally.
Healthcare is undergoing a paradigm shift in service delivery. Hospitals are no longer the central point of care but are becoming care destination points fed by any number of non-hospital points of care. Few healthcare organizations are building new hospitals. Instead, market growth opportunity has shifted geographically and electronically. Healthcare systems are building or positioning care services closer to the customer base (that is, patients) in the form of aligned physician practices, suburban health parks, urgent care centers, and even stand-alone emergency centers. Moreover, there is now a more concerted focus on reaching customers through “retail medicine,” in which a person will be able to go to a local grocery store, purchase a few items, receive a physical exam by a physician, get a blood test, and pick up a prescription, all in one convenient location. Telehealth appointments with physicians, which became necessary during the COVID-19 pandemic, appear to be another care delivery model that is here to stay. All these new care delivery modalities are reliant on a protected cyber network. The success of this new service delivery model is, however, contingent on connectivity throughout the system, to ensure continuity of care, and most importantly, access to patient medical records. In addition, healthcare systems now have incentives to connect and access records from outside their organization. Imagine you are on vacation across the country and need emergent care but are unable to communicate your medical history (such as an allergy to a commonly prescribed medicine) to the treating physician. In the connected care world, the treating physician would have instant access to your medical records from your usual care provider and would thereby avoid making medical errors.
ALIGNING WITH CYBERSECURITY COMPLIANCE REQUIREMENTS CAN SUPPORT PHYSICAL SECURITY RESOURCING
The shift in service delivery is forcing security professionals to rethink their security plans on two fronts. The first relates to providing traditional security services—specifically, conducting security site assessments, installing physical security measures, and investigating thefts, threats, and workplace violence—to multiple care locations in a vast geographic area. The second relates securing of the IT infrastructure for your organization in dozens, if not hundreds or even thousands, of non-hospital work locations. For purposes of this article, I will address only the second issue.
Let’s make it a little easier on ourselves. The security department does not have to carry the whole burden for physical security measures such as CCTV & access control. IT security, in many respects, is the province of your organization’s chief information security officer (CISO). Regulations and compliance criteria for healthcare systems already exist to ensure the integrity of electronic records management systems and compliance with point-to-point electronic records transmission, storage, and management.
To truly attain the ability to provide connected care, healthcare organizations are required to certify security for their information systems. The Health Information Trust Alliance, or HITRUST, is a privately held company in the United States that certifies healthcare organizations who demonstrate that HIPAA compliance requirements conform to established information security safeguards. In collaboration with healthcare technology and information security leaders, HITRUST has established a common security framework (CSF) that can be used by all organizations that create, access, store, or exchange sensitive or regulated data. The CSF includes a prescriptive set of controls that seek to harmonize the requirements of multiple regulations and standards.
Hospital and healthcare security directors need to understand that certifications bodies like HITRUST view physical security as a control area, or what HITRUST refers to as a “domain.” The inability to meet HITRUST physical security requirements is a barrier to attaining the HITRUST certification needed to be allowed to use the CSF—which is an operational imperative for continued organizational business growth and success. Said another way, if a healthcare organization cannot share health information in the healthcare delivery system envisioned for our future, that healthcare system will at some point fail to exist, as it will not be able to compete in the healthcare marketplace.
HITRUST standards are complicated, and each requires an in-depth analysis. For instance, each category that falls under the physical security domain requires a specific plan and unique set of measurements relating to protection plans. As a hospital security director, you may be tasked with reviewing the physical security requirements for HITRUST and creating protection plans that met those requirements in the following areas: hospital assets; IT and physical security infrastructure; access to sensitive areas; key controls; physical security response plans; regulatory training requirements; visitor and vendor identity management; facility utilities management and securing power sources; fire monitoring and response; lightning protection measures; and testing and validation of all these processes.
It is sometimes hard for us physical security directors to advance our objectives while competing for an organization’s limited pool of resourcing. I recommend that security professionals who are seeking to resource physical security measures view the fulfilling of IT compliance measures as a pathway. The HITRUST certification requirements in the physical security domain can be your “golden ticket” to attain resourcing because healthcare’s new reliance on connected care depends on having a secure, certified IT platform for information exchange. I further recommend doing some research on HITRUST physical security requirements and aligning your security master plan to any connected care initiatives in your organization’s business plan.
You are wise to partner with your chief information officer (CIO), and chief information security officer (CISO) if you want to gain resourcing for physical security infrastructure. The CISO’s ownership stake in IT security compliance is greater than your own. Some organizations now dedicate 10% to 15% of their annual operational resources to IT. In many ways, the IT team generally does not have sufficient background in physical security. However, the IT team’s budget is far more substantial than that of the hospital’s security department. Thus, the security director may be able to use HITRUST as leverage to have the IT department fund some of your physical security requirements to attain certification. In the alternative, the CIO or CISO may be very influential in assisting and supporting your business argument for upgrades to your existing physical security infrastructure.
The collaboration with IT leadership should be viewed as a two-way partnership with the common goal of creating a safer environment. Both the CIO and CISO have a vested interest in physical security compliance to attain a certification like that provided by HITRUST. As such, IT leadership and their influence will likely be your best advocate to gain the resourcing for physical security upgrades needed for HITRUST compliance.
In a nutshell, your task is to research, network, and write your strategic security management plan so that it aligns with the goals of your IT stakeholder and partners. Then partner and allow IT to make your business case for you.
