Blog

Physical Security: The Foundation of Healthcare Cybersecurity

The cloud metaphor has been very effective in allowing organizations to better understand the Internet, particularly how their data can quickly be accessed from almost anywhere and leveraged when needed. However, it can be easy to overlook the fact that the centers that safeguard cloud-stored data are not located somewhere “up there,” but are in fact very real physical spaces.

Unfortunately, many organizations focus almost exclusively on virtual security—and nearly forget about the building or room that houses their data, and whether it is properly secured. To be fully secure, a data center has to take into account not only network, data and user security, but physical security as well.

If the physical security of a data center is compromised, it could render an entire system unavailable—a scenario that could cause damage to any organization, but is particularly serious to a healthcare provider that relies on systems not only for business management, but for delivering life-saving patient care.

Landscape and Types of Physical Threats

It’s helpful to visualize the physical infrastructure of a data center to better understand the physical risks: most centers have similar components—primarily computer servers, telecommunications systems, storage systems, fiber optic cables, power systems, climate control—and all are at risk.

Sometimes physical threats are related to malicious intent, like when a thief intentionally tries to break into a center to cause harm. However, other physical threats can occur, and be just as damaging. For instance, what if a system overheats? What if a major storm interrupts power? What happens if an employee ends a shift, and forgets to lock the door?

Defining Uptime Institute Professional Services Tiers

Because of multiple threats that impact a center, the Uptime Institute Professional Services Institute, a data center engineering and management consulting firm, instituted the industry’s first Tier Classification System and Operational Sustainability. The system is an outcome-oriented, performance-based system for benchmarking data center availability.

Tier certification refers only to the physical topology of the data centers’ infrastructure that directly affects the computer room operation. There are certifications in four levels:

  • Tier IV – Fault tolerant site infrastructure
  • Tier III – Concurrently maintainable site infrastructure
  • Tier II – Redundant capacity components site infrastructure (redundant)
  • Tier I – Basic site infrastructure (non-redundant)

Physical Security Best Practices at Top Tier Data Centers

Tier IV and III are considered top tier data centers. Typically, Tier IV is reserved for the U.S. government’s highest level (top secret) security data. Tier III data centers meet stringent HIPAA requirements.

Physical security at top tier data centers fall into three broad categories:

  1. Building Features
  2. Building Security
  3. Personnel

Here are just some examples of what top tier data centers typically have in place to ensure physical security:

Building Features

  • Safe Locations: Centers are purposely built in safe locations with few natural hazards, like severe weather or seismic issues. It’s no accident that many data centers are built in Arizona, a state known for having the least number of natural disasters.
  • Multiple Feeds from Power Substations: Power is the lifeblood of any data center facility. By balancing the power load across two or more feeds, the operator has the flexibility to adjust in case of power surges, brown outs, or complete failure of a single source. This also allows for instant redundancy as there is a lower percentage of power to transfer if a source completely fails.
  • Multiple and Disparate Conduits for Power and Bandwidth: This way if one conduit is severed, either due to an accident or to vandalism, having multiple feeds into the building for power and internet is crucial to system availability.
  • Single Use, Single Design: Drives greater efficiencies and safety when building is designed exclusively for secure data storage.
  • Non Multi-Tenant: Threats increase as the number of individuals with access to a building increases. Therefore, a data center should not be located in a multi-tenant facility.

Building Security

  • 24/7 Monitoring: Physical access is controlled around the clock. Typically, on-site technical personnel are also available 24/7.
  • Perimeter Security: Building staff are often hired to secure the perimeter of the center and video cameras/electronic surveillance devices are used. (Note perimeter security also typically involves personnel security issues, including reinforced physical structures such as concrete bollards, steel-lined walls, bulletproof glass and perimeter fencing.)
  • Two-Factor Authentication: To enter, personnel must pass through electronic and identity authentication systems, such as badge and biometric systems.
  • Biometric Access: Involves establishing someone’s identity based on chemical, behavioral, or physical attributes of that individual.
  • Man Traps: A small room designed to “trap” individuals trying to enter the facility.
  • CCTV DVR: Closed-circuit TV and digital video recorders for video surveillance.
  • Backup Power Security: Emergency or backup power that is needed to keep critical data center security equipment operational at all times.
  • Discreet Room Access and Cage/Cabinet Access: Access to room is limited; cabinets and cages that house hardware are locked and secure.
  • HVAC Systems: In tier IV centers, the heating, ventilating and air-conditioning (HVAC) systems are not drawing air from outdoors, but are set to recirculate. If there ever were a biological or chemical attack, or heavy smoke, this will protect data center staff and components.

Personnel

  • Authorized Personnel Access Only: Only a few employees are allowed to access the data center. Security escorted entry is recorded by time-stamped logs.
  • Background Checks: Employees are required to pass criminal, employment and ID/address verification background checks as well as undergo drug testing. They may also consider character references and contact references. Employees also must sign confidentiality agreements.
  • Restricted Vendor Access: Vendors must carry a photo ID badge, and be accompanied by authorized data center personnel at all times.

Reducing or preventing physical threats, along with virtual threats, is key to total, robust security for healthcare organizations. When the data center environment is secure on every level and from every angle, including physical security, healthcare organizations are able to operate at their peak effectiveness, and deliver excellent care to patients.

About the author

Chris Bowen is a healthcare data privacy and security expert. He is one of only 1,304 professionals worldwide with the Certified Information Privacy Technologist (CIPT) certification from the International Association of Privacy Professionals. As a founder of ClearDATA Networks, he inspired the vision of providing secure, HIPAA-compliant cloud hosting and information security services to the healthcare industry.