Building automation systems (BAS) have become critical for helping health care facilities run smoothly. These offerings allow hospital administrators to save money, reduce energy usage and tighten access control.
However, anyone interested in designing a BAS or improving an existing one must treat security as essential. Health care facilities that become more automated rely heavily on networks hackers could exploit. People can follow best practices to reduce the likelihood of successful cyberattacks.
Create a Security-Centric Deployment Plan
People must start by determining what the BAS will control. After answering that fundamental question, it’s time to start building a framework and assigning staff to take ownership of specific parts of the BAS. That might mean choosing individuals from each hospital department to identify and reduce cybersecurity risks.
One expert with experience in BAS systems at hospitals had technology team members communicate with facility managers so both parties could work together to close security gaps and ensure nothing was overlooked. Tech specialists and building managers have knowledge unique to their roles. Setting aside time for these parties to work together in the planning stages makes it easier for everyone to understand and tackle the security risks.
Understand and Reduce Security Risks
People who build automation systems for health care facilities must consider the various ramifications of attacks that disrupt operations. Examples include:
- Connected hospital equipment no longer functioning
- Providers unable to access electronic patient records
- No access to staff email accounts or applications
- Inability to accept incoming patients or continue treating current ones
Hackers can gain access to hospital systems faster than many people realize, and such attacks can cause incredibly widespread problems. Consider one ransomware attack where the perpetrators demanded a $3 million ransom that the organization’s leaders decided not to pay.
The disruptions lasted weeks, affecting everything from language translation services to laboratory operations. That was largely due to leaders requiring workers to stop using the affected internet-connected systems until they addressed the security matter.
Designers who want BAS to affect building access and climate control must understand what could happen if these systems go offline. They should be proactive and implement non-internet-controlled ways to access a building, change room temperature or do anything related to a hospital’s safe operations.
They must also build safeguards to prevent hackers from tampering with critical settings. For example, most hospital areas must have relative humidity levels of 20%-60% to limit the spread of biological contaminants. One possibility could be to have manual controls building managers can use to override hackers.
It’s also important that building automation professionals use network-monitoring tools to spot suspicious activity before networks are infiltrated. Another strategy is to depend on edge computing devices as much as possible. Each device only stores a relatively small amount of data, meaning hackers must break into dozens or hundreds of endpoints to do major damage.
Recognize the Importance of Security-Based Maintenance
Investing in the latest building automation technologies is a good starting point but doesn’t guarantee security. Something as simple as forgetting to install the newest patch could allow a hacker to break into a building automation system and wreak havoc on everyone who depends on it.
Problems can also occur if people use outdated computers and operating systems to access BAS interfaces. Building automation specialists should perform detailed audits before bringing new technologies into a health care setting. They should also instruct IT department members and other relevant employees on how to periodically check for vulnerabilities.
A building automation system is not something a person can set and forget. A user could turn off a setting by accident and compromise security. That’s one reason why role-based access control is increasingly popular in health care settings and other environments where seemingly small mistakes could have significant impacts.
Role-based access control can extend to patients and health care workers. For example, the technology might permit nurses to retrieve medication from a locked cabinet while ensuring the patient who needs it cannot go outside without supervision.
However, the maintenance aspect of a BAS requires people to update access privileges as necessary. Otherwise, disgruntled employees could pose security risks because administrators don’t lock them out of a system once they quit or lose their jobs.
A security-minded approach to creating a BAS for a health care facility requires allowing authorized parties to make those access-related updates as seamlessly as possible. One popular method is allowing changes via a single dashboard. Building managers can easily take care of things when someone gets promoted, leaves the organization or needs short-term access.
A Security-First Mindset Reduces Issues
A building automation system broadens the potential attack surface for hackers to target. However, BAS developers who follow best practices can significantly reduce the chances of problems.
Setting aside time to periodically check for and remedy vulnerabilities is also an excellent way to use technology responsibly when widespread and often severe breaches occur. The parties designing the BAS must emphasize that keeping hackers out is everyone’s responsibility, not just a duty reserved for IT team members.
Ellie is a freelance writer who covers the latest innovations and advancements in science and technology for an audience of industry professionals. She’s also an associate editor for Revolutionized.
