By Jeff Wardon, Jr., Assistant Editor

Healthcare facilities managers are responsible for keeping buildings safe, functional and accessible. However, as physical systems become increasingly connected to digital platforms, those responsibilities now extend into the realm of identity governance. Whoever has access, and whether that access is properly managed, can have serious implications for security and operations. 

Healthcare Facilities Today spoke with Zack Martin, senior policy advisor – cybersecurity services at Venable LLP, to understand why gaps in identity governance matter to facilities teams and what practical steps facilities managers can take to reduce identity-related risks. 

HFT: Why should healthcare facilities managers—who often focus on physical infrastructure and operational continuity—be concerned about identity governance gaps within their organizations? 

Zack Martin: Facilities managers need to have the same insight as to who is in the building as the IT security staff has to control physical access to the facility. If an individual joins, moves or leaves the organization, their privileges and access rights change. The facility manager needs to know so that the badge can open the door, prescription cabinet or do whatever else it is supposed to do.  

When joining a healthcare organization, they will be given certain access rights that they will have for that time period. If they change jobs, those rights likely change and some of the previous rights might be revoked and new ones granted. If they leave an organization, privileges need to be turned off so that privileges and accesses can no longer be used. While this is true on the IT side for access to applications and data, it’s also true on the physical security side for access to facilities and resources. 

Related Content: 3 Pillars of Stronger Cybersecurity in Healthcare

HFT: How can issues like orphaned accounts or unmanaged vendor access directly affect building systems, work order platforms or other technologies facilities teams rely on? 

Martin: Periodic access review needs to be performed so orphaned accounts do not become a problem. If an unauthorized individual were able to gain access to an orphaned account, they could gain access to building systems and create new accounts; accesses and privileges enable unauthorized access.  

Depending on how these systems are configured, they could also gain access to other hospital systems. This is why access reviews are critical, and the use of multifactor authentication for third-party accounts is important as the technology poses a hurdle for access. 

HFT: Facilities managers regularly coordinate with numerous outside vendors and contractors. What identity-related risks arise from this, and how can facilities teams better manage or influence vendor access controls? 

Martin: There are a number of steps healthcare providers can do to protect their systems from identity-related risks associated with third-party vendors and contractors. First, mandate multifactor authentication, which helps prevent simple password reuse and brute force attacks. Each vendor accessing the system must have their own separate account; no one single account for access to all systems, which is logged and monitored by the healthcare facility during access. These provisions should be included in all third-party vendor contracts. 

On the facilities side, network segmentation should be set up to ensure that an individual's access to the systems cannot access any other resources. Additionally, least privileges should be put into place to ensure access rights do not expand beyond what the vendor is trying to access. If possible, facilities could use federated identity – the vendor would use their existing corporate credentials with multifactor authentication – to access healthcare networks. 

HFT: Credential-based attacks do not require sophisticated malware. What would a compromise through weak identity controls look like in the context of facilities systems such as HVAC, security or energy management platforms? 

Martin: If the facility systems do not have multifactor authentication enabled or individual accounts for every individual accessing system, these would be weak identity controls that can enable unauthorized access. Additionally, access to these systems monitored and logged for anomalous behavior.  

Lastly, help desks should also be trained to properly vet individuals who may be calling in for access to these systems as well. This includes potentially having an individual going on a video call or showing up to a facility with a government-issued ID to prove who they are. 

Jeff Wardon, Jr., is the assistant editor of the facilities market.