Confidentiality is a huge concern in any healthcare facility. To ensure consistency and to meet the many requirements of the Health Insurance Portability and Accountability Act (HIPAA in the US, similar laws exist in other countries), healthcare providers must closely guard the security of certain records. Confidential information whether patient-related, staff-related, or financial in nature can include a hard copy or electronic files and the potential misuse of such data could be related to a variety of criminal and other malicious acts, which is why extraordinary precautions must be taken to protect such data. Medical records, for example, have a long shelf life as far as ongoing criminal activity is concerned (you can't just cancel a medical record like you can steal a credit card number). The medical records provide long-term gains with very little risk and significant anonymity to the one illicitly using the information and offer a far better financial yield than other types of stolen information (you can sell the contents of the medical record and keep a copy to obtain fraudulent prescriptions, which you can then resell for even more profit).

Similarly, with the increased threat of terrorism present, many areas that previously were not considered security sensitive are now being reexamined, such as mechanical rooms, communications centers, and other critical infrastructure departments of the hospital. Any issues, which affect systems such as telecommunications, utilities, or IS / IT equipment can have a disastrous effect on patient care and the ability to treat those in the community. This includes sources of potentially dangerous raw materials for the creation of a radiation dispersal device (RDD), or "dirty bomb" due to the presence of sometimes significant amounts of certain isotopes of interest. Special programs, such as the National Nuclear Security Administration's Office of Radiological Security (ORS) are being used to limit such threats by "hardening" of certain key areas inside of hospitals and other potential sources of such material throughout the world. The US Department of Homeland Security has created several best practices and guidelines for securing and reporting suspicious activity in and around such areas. During a dynamic event, such as a public health emergency, many first responders and local law enforcement (as well as your own security forces) may be otherwise engaged and the opportunity to exploit such security sensitive areas, (for either profit or sabotage) increases exponentially without a dedicated guardian or physical security countermeasure to protect such assets.

Having described many of the "security sensitive areas" in the healthcare environment, the opportunity for collaboration between operational and IT security professionals is not just in the creation of policies and procedures, but more so in understanding the many ways in which each of their respective functions impact one other and how together IT and operational security are at the forefront of enabling business continuity even during an adverse event. An attempted hack of a healthcare organizations critical systems or electronic medical records database can be incredibly damaging from a financial and branding perspective, but no less so than an active violence event or sabotage/vandalism that impacts the ability of the organization to provide patient care. Both types of incidents are equally important from a risk mitigation perspective, but each of these events requires a different skill set to adequately prepare for and mitigate should they occur. One way in which IT and operational security programs can better work together is to formalize routine meetings while the "weather is good" and not in response to an event that has just occurred and many may be seeking someone to blame rather than identifying what factors may have led to the incident. Just as CCTV and access control systems rely upon the "backbone" of the IT infrastructure to communicate and function properly in an organization, so should operational and physical security leaders rely upon the "backbone" of our IT security partners to ensure the smooth flow of information and to work together to prepare for any adverse events, be they cyber-related or more physical in nature. Public sector and private sector partnership is a hot topic right now in the security and law enforcement communities. However, we should first have solid relationships internally between the IT and physical and operational security divisions before attempting to negotiate outreach efforts to the public sector, and that starts with an understanding and mutual appreciation of the importance of each of these responsibilities.