Top Menu

Why you need to have a physical security policy

Physical security and the healthcare sector

Healthcare data is extremely valuable, so it comes as no surprise that recent security and data breaches at healthcare facilities have been making headlines. Just how valuable is it? Personal health records routinely fetch more than credit card data on the black market. This is why your physical IT infrastructure needs to be monitored, managed, and protected, just like your virtual data and network.

Physical security is often overlooked

Many organizations have robust information security – ensuring their internal networks, devices and data are secure – but overlook physical security. This can easily result in breakage, theft and loss of sensitive data and equipment, which can undermine all the other security controls you have in place. This can leave your organization exposed to financial extortion, damage your reputation, and infringe your statutory obligations to secure patient privacy.

With this in mind, let’s look at best practice for securing your organization’s physical IT assets and infrastructure.

Protect your physical IT infrastructure

Some basic elements of building security include 24/7 monitoring of physical access to your data center, perimeter security with dedicated staff, CCTV surveillance, secure perimeter fencing, as well as two-factor authentication card access and/or biometric systems. And if you are planning the location of a data center, look to place it in a building or room with no external walls. The building or room should also be further secured to minimize the risk of fire and flooding. Also maintain a record of all your IT equipment, including all serial numbers, and make it compulsory for staff to log off-site use. Having adequate insurance is also essential.

People are often the weakest link

Organizations may overlook their employees as the potential source of a data breach. Consider running background checks when hiring. Following up on references is also a good idea with new recruits. And when they sign their contract, be sure to include a confidentiality agreement. When it comes time to granting access to your IT infrastructure or data center, this should only be for accredited employees. You should also look to implement restrictions on removable media, and what is allowed in and out of your data center. Visitors and vendors should be scrutinized and accompanied by staff at all times. Staff should also be educated to secure their devices – laptops, tablets, and smartphones – when they are off-site. And if a device is stolen, ensure you have security capabilities such as remote data wiping.

Physical penetration testing

If you are unsure of the integrity of your physical security, you can engage a security consultant to undertake a physical penetration test and/or a physical site security audit. These are real-world assessments of the existing physical security controls in place. They will identify exactly what vulnerabilities exist, so you can remedy the situation and ensure your data and equipment are adequately secured. Implement these measures and you will limit the likelihood of any physical threats to sensitive patient data and your IT infrastructure.