Security Problem

Security Problem

Human Resources Security Security Breach Overview

PROBLEM

Security Breach Overview

Their goal was to see how easily someone could sneak into restricted areas, get on our network, or access sensitive information.

We hired an independent security team to test how well our hospital’s physical security holds up against social engineering techniques.

Within just one day, the testers found several big gaps in our security that need immediate attention.

Multiple breaches happened in just a few hours, showing that our current security measures aren’t strong enough to stop unauthorized access to important areas and data.

how

Physical Access to the Network

Physical Access to Critical Areas

Physical Access to a Computer

The tester dressed up in blue scrubs, carried a clipboard, and wore a stethoscope to blend in as hospital staff. He managed to get into high-security areas: The lab Operating room Maternity ward

The tester wore a company polo shirt and posed as an IT technician. He sat at an empty cubicle, opened the computer, and removed the hard drive.

The tester wore a suit to look like a visitor or business person and walked right into one of our conference rooms without anyone stopping him. He found an Ethernet port, plugged in his laptop, and connected to our network.

how

In all the tests there was a possible intervention, but it wasn't enough for The tester to succeed.

Physical Access to a Computer

Physical Access to Critical Areas

When questioned, he just said he was hired by "John Smith, IT Manager" to fix the computer, and that was enough to satisfy the staff.

In one case, a staff member let him in by buzzing him through. In the other cases, he followed other people through the doors.

RISK

10.9M

Risks and Impact of Accessing Critical Areas

The average cost of a security breach in healthcare is $10.93 million per incident

Policies at Risk: Weak access control policies for restricted zones. No proper visitor identification or checking if the person was really staff. What’s at Risk: Patient safety could be seriously impacted. Unauthorized access to medical equipment and sensitive areas. We’re also breaking HIPAA rules, which means we could face fines and other penalties.

10%

Each year, around 10% of hospitals in the U.S. experience incidents that compromise patient safety.

Risk

Risks and Impact of Patient File Access

Policies at Risk: No control over who’s accessing printed documents in shared spaces like nursing stations. Lack of oversight for printed patient info and no procedures in place to secure it. What’s at Risk: Immediate breach of patient privacy and potential HIPAA violations. Sensitive patient health information (PHI) could be exposed, leading to identity theft or fraud. Financial penalties and loss of trust from patients for not protecting their personal information.

RISK

Risks and Impact of Computer Access

Policies at Risk: No real process for verifying third-party IT workers or checking credentials. Easy access to workstations and no controls to prevent someone from removing hardware. What’s at Risk: The hard drive could have sensitive info like patient records or private hospital data. Losing hardware could disrupt operations and lead to data theft. Violating data protection laws could result in legal consequences and fines.

SOLUtion

‘Security isn’t something you buy, it’s something you do, and it takes talented people to do it right.’

Conclusion and Next Steps

Conclusion

These tests revealed serious weaknesses in our physical security, network access, and document handling.

Stronger physical access controls

Tighten security on who can enter restricted areas and prevent tailgating.

Increase staff awareness

100%

Train staff to recognize social engineering tricks and report suspicious behavior.

Secure network ports

Focus on improvements and optimization

Lock down unused network jacks and monitor who’s connecting to the network.

Improve document security

Make sure sensitive documents aren’t left unattended in shared spaces.

Ongoing audits

Regularly test our security to catch vulnerabilities before they can be exploited.

Thank You