Outside of a global pandemic, an attack on a hospital or the healthcare system at large would have a severe impact, but today an attack would be catastrophic. These institutions have been instrumental in the fight against COVID-19, yet are woefully unprepared, an issue that began long before the pandemic struck.
Soft targets can be defined as locations that are easily accessible to the public with limited security and/or protection measures. Hospitals as well as schools, sporting venues, and public transportation all fall under this category. By nature, soft targets are challenging to protect. In addition to security regularly being relegated to the bottom of the priority list, these institutions are often limited by their facilities, available resources, public opinion, expectations from internal leadership and donors, as well as a lack of imagination when it comes to potential threats. These restrictions make a standardized security procedure that fits an entire industry on the one hand overbearing for smaller institutions to implement and on the other hand insufficient for the threats larger institutions may face. It is an impossible balancing act that requires constant revisions.
However, the consequences for not addressing these threats at all can be grave. Insufficient security at hospitals can result in property loss, identity theft, and in some cases death. It is the duty of a system committed to patient care to consider all angles in that pursuit. As it is the responsibility for all industries to look after their assets.
Any incident that would disrupt daily operations or negatively impact an institution’s valuables is considered a threat or risk event. How they manifest differs for each industry, however, they can often be generalized as facilities, supplies or equipment, intellectual property, data, customers, and personnel. A hospital’s assets would define customers as patients and include visitors.
The most prevalent physical threat hospitals face is workplace violence. A study conducted by the Occupational Safety and Health Administration (OSHA) identified healthcare workers as four times more likely to experience serious injuries from work than in private industries. Serious injuries are described as incidents that result in the injured party taking days off from work to recover. These injuries are caused by patients, employees, and outside actors such as assailants. It is not sufficient to accept workplace violence as a hazard of the job. Employees and patients should be afforded adequate protection and avenues by leadership to report these issues. While there have been no terrorist attacks on U.S. hospitals to date, a plan to detonate a car bomb at a hospital in Kansas City was thwarted when the suspect, Timothy Wilson, was killed in a firefight with FBI agents. Additionally, outside the U.S., incidents involving hospitals in India and Pakistan, have shown the devastation such events can inflict- as well as, showing that terrorist groups desire such attacks, and have the capability to carry them out.
Theft is also a significant threat. Hospital equipment is not cheap. Not only does the theft of items come at a cost to the hospital’s bottom line in the range of several hundreds of thousands of dollars, but it also can rob patients and healthcare workers of the necessary tools to provide and receive care. For example, in April of this year, during a time when medical supplies were scarce, an individual stole roughly $1,700 worth of personal protection equipment (PPE) and cleaning supplies. This was not a singular incident, but rather, represents the norm. Hospitals must take the appropriate steps to mitigate these situations for the safety of all those in their care.
Although physical security plays a large role in the overall security of an industry, it is only one part of the bigger picture. From a cyber security perspective, which largely protects a hospital’s intangible assets, the use of outdated hardware and software and an overall dependence of cyberspace is a vulnerability. A breach involving the access of electronic medical records would allow for hostile actors to steal personal health information such as names, addresses, dates of birth, insurance information and social security numbers. Victims of these breaches are at risk of identity fraud and being misdiagnosed.
Ransomware leveraged against hospitals can result in complete shutdowns. In 2016, Hollywood Presbyterian Medical Center staff were unable to access medical records or use medical equipment for four days. In order to restore these services, 40 bitcoin or roughly $17,000 was paid to the individuals who launched the attack. The 2017 WannaCry attack, although not intentionally targeting hospitals, affected patient care and compromised patient safety at nearly 50 locations for several days in the United Kingdom.
Hospitals and other soft targets such as schools, sport venues, and public transportation services have to spend the time, effort, and resources to analyze their specific security needs. Beginning with a risk assessment, implemented security should be compared to the industry standard if there is one. Gaps in procedural and physical security processes must be identified and addressed accordingly. Security measures for soft targets are complex and vary greatly, which emphasizes the need for them to be holistic to be effective. They have to cover both, physical and intangible property, and above all, must be implemented from the top-down, integrated into the culture of the individual companies and of the industry at large. Security is a never-ending project, but it is critical for the work to begin.