Health Care Institutions Unify Safe Access to Information and Places
Editor / Provider: a&s International | Updated: 6/1/2011 | Article type: Commercial Markets
Unseen dangers such as identity theft and infant abduction are often shadowed by the busy and buzzing atmosphere found in health care facilities. As security concerns in health care facilities increase, more and more institutions are combining their physical access control and logical access control systems for better management of their patients, staff, visitors and assets. In converging different access control systems, smart cards and biometric credentials are becoming the necessary tools to clearly track foot traffic and enforce authorized access to information and places, as they offer high-level data security and identification accuracy. Health care complexes often span across several buildings and campuses, adding onto the security management complication which can now be facilitated by effective physical access control and logical access control systems.
Securing public spaces is a tricky business. Health care facilities are no exception, where patients, visitors and staff openly interact on a daily basis. Three areas need to be reviewed to provide a solid safety assessment, said Kenneth Mara, President of World Wide Security. "First, the safety of patients and staff should be considered by limiting the amount of people who can or should have access to certain areas. Second, access to medical records and medicines need to be controlled. Third, health care facilities should be designed in a way to keep
|Kenneth Mara, President of World Wide Security
patients from wandering the premises," he said. "The last consideration is especially important for psychiatric centers and patients with Alzheimer's or other dementia illnesses."
In health care settings, a card system combining physical and logical security has become the main access control method, for everyday administration and operation. "In health care, there are staff members that may shift roles depending on the time of day, or the location access is requested," said Derek Botti, IT Architect for Tivoli Industry Solutions — Health Care, Electronics, Manufacturing and Smart City Industry Lead, IBM. "Many do not have different physical access controls for the different roles, but do have different logical access controls for the different roles."
"The challenge often arises when the staff member in this capacity chooses the access control for one role when actually performing a secondary or tertiary role,” Botti added. “Add in a constant state of flux as it relates to volunteer staff, temporary staff and educational staff; and the security and IT departments typically face issues that are not seen in other industries or facilities."
Building a reliable and fluid physical-logical access control system that contributes to operational, financial and clinical effectiveness is a necessity for many health care facilities. "As health care institutions expand their technology infrastructure and deploy multiple systems, they inherently produce an environment with separate access control systems, with multiple credentials issued and managed through duplicate processes with limited interoperability," explained Dave Cullen, Director of Business Development for Health Care, Lumidigm. "The result is an expensive process of credential management and an institution that is exposed and at risk for security breaches, resulting in expensive penalties and fines. More importantly, frustrations with system access will ultimately have a negative impact on the user and, in turn, on the quality of patient care."
The process of accessing areas and information is expected to become simplified by integrating the physical and logical access control systems into one. “IT and security departments are hoping to leverage n-factor authentication solutions to clinical systems and workstations that are able to use the same badges used for physical access to the buildings and nursing units themselves," Botti said. "In that regard, the IT and security departments are facing a desired integration of birthright provisioning, such that access to physical spaces and logical systems are granted through the same process."
Industry regulations and demands are pushing for convergence of physical and IT access control as well. "The Health Information Technology for Economic and Clinical Health Act and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) legislation requirements are pushing health care organizations to facilitate increased security levels for patient and other critical information," said Lisa Pryse, President of the Health Care Division, Old Dominion Security. "Though bandwidth is scrutinized to provide for multiple secure uses, more security systems are centralized into one area as well as coordinated with the IT department."
When the physical and logical access control systems are installed by different integrators, the foremost problem faced is compatibility between the two systems, as the installers might not be trained on both systems, said Eric Assouline, Export Sales Manager, CDVI Group.
Another problem is that the systems would run separately and likely would not read each other's credentials, nor would a smart card carry a biometric template that helps lower network traffic and provide greater privacy for the employee, Cullen said. "Interoperability of the systems delivers a flow of critical information from disparate systems to the right person at the right time. Communication systems enable visibility of information up- and downstream, avoiding costly bottlenecks."
Most often the problem is the lack of open standards in health care IT solutions, Botti said. "If the vendor of choice uses a closed system with proprietary or little API support, the integration between logical and physical access systems becomes a cumbersome and often expensive customized effort. There would also be issues with correlating data between the disparate systems, because there is no real free exchange of data between these solutions. The integration done is for a very narrow band of use cases and tends to miss backend analysis and correlation, which results in additional lengthy and expensive integration efforts."
Ensuring smooth integration between physical access control, logical access control and other security systems is not the sole responsibility of the systems integrator. Security managers and CIOs acting on behalf of the institutions should also thoroughly understand both the existing systems and potential new systems to get a clear idea of how convergence works.
Typically during integration, solution providers have tried to investigate what existing security solutions are in place and where to leverage existing infrastructure components, such as badges or identity stores, Botti said. "If
|Dave Cullen, Director of Business Development for Health Care, Lumidigm
possible, instill an interface as part of the implementation of a logical system that provides a single source provisioning solution between the physical access and logical access identity stores."
A converged physical and logical access control system often falls under the CIO's jurisdiction, with the security manager reporting to the CIO. In health care facilities, however, it is often divided between two distinct management chains, pitting physical security against logical security, Botti said. To avoid this standoff, both the CIO and security manager should understand both physical and logical systems to optimize performance, Assouline said.
"CIOs develop the long-term strategic direction of the hospital, and IT is at the core of reducing health care costs and establishing efficient processes," Cullen said. "Protecting these investments is also the responsibility of the CIO and included in this plan should be a strategy for streamlined physical and logical access controls. Streamlining backend identity and access management systems is only the first step to an efficient security infrastructure. It helps when the CIO understands both worlds, but it is equally important that the security manager likewise understands both types of systems."
"More CIOs now partner with security managers in order to manage a complete physical and logical access control system," said Brian Stemp, PM of Access Control in EMEA, ADT Security. "The responsibilities of each position could be influenced by the budget provided for each department, yet the two sides need to establish close ties in order to deliver efficient and solid work."Drivers
The drivers for the convergence of physical and logical access control systems in health care institutions are reduced cost, increased security and reliability in the installed system. New platforms used for physical access control open up possibilities to integrate with logical access control faster and easier, while costs have decreased due to a wider selection of solutions, Assouline said.
Converged systems are driven by the desire to reduce operating costs and redundant components when examining the solutions from an enterprise-level view, Botti said. "In some cases, it is to reduce the overall complexity of the entire ecosystem — reducing the number of badges such that physical and logical access can be controlled with the same token."
"In other cases, it is driven by a desire to reduce the operating costs — reducing the total solution footprint by integrating solutions and eliminating redundant components that are performing the same task in an isolated fashion," Botti added. "In some other cases, it is a function of providing better regulatory compliance auditing — having a single source of the truth, which simplifies attestation, birth righting and sun setting of identity."
"Health care facilities are recognizing that they have a responsibility to protect patients, staff and property," Cullen said. "A good integrated security schema can have great impact on the cost of insurance for a hospital. Protecting the physical well-being of staff and patients has always been important, but as more patient information becomes electronic and interoperable, it is critical that this information is only available to those with appropriate permissions. Patient information falling into the wrong hands carries expensive penalties and fines, and can negatively impact the marketability of that facility."Utilizing Smart Cards
Smart cards are useful for many functions: access control, payroll and attendance systems, among other tasks. Contactless cards in particular help limit and control infections in health care settings. Sensitive areas like the intensive care unit or pharmacy require dual-factor authentication, combining biometric verification with the assigned smart card.Biometrics
Biometric deployments in health care facilities have traditionally been problematic, as conventional systems fail to operate reliably in harsh environments and situations, Cullen said. "Frequent hand washing, heavy use of
|Eric Assouline, Export Sales Manager, CDVI Group
chemicals and cleaners, the wearing of latex gloves and a wide range of demographic issues make biometric enrollment and authentication quite difficult and challenging."
Newer biometric techniques enable fingerprint scanning even when hands are gloved. "Multispectral fingerprint scanning, which has the unique ability to scan beneath the surface layer of skin, handles the environmental factors that can affect fingerprints," Cullen said.
As well, with a decrease in pricing and an increase in ease of use and maintenance, biometrics is becoming more and more adopted in access control systems at health care institutions, said Mike Grimes, President of Integrated Biometrics. "Some of the most dramatic changes are the increased security that comes with no longer having a PIN code, which can be shared, and cards, which can be lost, shared or stolen."
"Contactless smart cards minimize overhead when dealing with biometric template management and distribution," said Dan DeBlasio, Director of Business Development, Identity and Access Management, HID Global (an Assa Abloy company). "Rather than storing biometrics on a server and distributing them over a wired network, a contactless smart card-based system allows biometric templates to be carried by the card holder, offering a stronger level of authentication and security commonly referred to as ‘match on card.'"Visitors
The convergence of physical and logical access control systems is largely restricted to staff and patients. However, effective monitoring of visitor access, especially during after-hours, ensures overall secure access in health care facilities. A common way to guard restricted areas is to program access points, permitting only authorized personnel with identification cards to gain entry or exit. “Some health care institutions may also want to integrate intercoms into access-controlled doors so that visitors can communicate with staff during after-hours,” said Philip Verner, Sales and Marketing Manager, CEM Systems (a Tyco International company).
Adding video to two-way audio can instruct unwanted visitors they have entered an area they should not be in, Mara said. "Video and audio communications allow for interaction with a perpetrator in a possible crime in action and elevate it to a more serious response level for first responders. This can be important during after-hours, when guard services need a complement, or in place of guard services in remote areas as well."
Industry experts agree that relying on temporary access cards plus an existing access control system might be cost-prohibitive and insufficient in managing after-hours visitor access. On-site security personnel would still be needed, although manpower can be reduced and redistributed to high-risk areas. "The enforcement of visitor badging requires the direct involvement of the security personnel," said Mark Thummel, Account Manager of Security & Fire in Building Efficiency, Johnson Controls. "They may not be needed at the location where the badging process takes place, but their presence is critical at key entry points, such as the main elevators or main lobby entrances to other facility areas."
Visitor crime and theft occur in health care facilities due to the openness of the premises, although petty theft is more prevalent compared to serious crimes. The most costly crimes are committed by employees, such as stealing equipment, supplies and pharmaceutical substances, Cullen said.
"Theft is a serious issue within these facilities, because many of the assets are portable, expensive and difficult to track," Botti said. “Implementing real-time location services integrated with physical building controls has become a rising trend, as more health care facilities, especially around the emergency department, try to curb the loss of this equipment. Unfortunately, these initiatives are typically done outside the scope of either physical access control or logical access control and are instead often managed by supply chain management initiatives, which create yet another tower for these solutions."Advancing with Technology
Technology brings both efficiency and risk to the table. For instance, tablet computers are useful tools for instant data retrieval and can be carried by medical personnel on rounds. However, data security and patient privacy are open to new threats.
Usability versus manageability is always a tough challenge for the enterprise, Botti commented. "In health care, the choice has been managed both ways in our experience. There were cases where no devices were allowed on the facility networks that were not directly managed by the IT department, including smart phones. In other
|Philip Verner, Sales and Marketing Manager, CEM Systems (a Tyco International company)
cases, the policy allows any device to attach to the network, with the employee community required to sign documentation stating they accept all responsibility for the management of the device and understand any breach or exposure created by the device becomes the responsibility of the individual."
"New technologies like this will surely add onto the threat level and data leakage risk," Stemp said. "To counter these issues, the security and IT departments must work together to formulate extra encryption for harder access to important information by unauthorized persons."
To fill in the gap between the two extremes, physical security is able to assist in securely locating the assets at all times. "Assets could be tagged so that an alarm would sound when the assets leave the premises," Assouline said. "Flexibility of asset management integrated with access control, combined with a good knowledge of the system integrator with a well-educated end user, will enable better processes in securing the assets and personal resources of the hospital."
Biometrics can help too. Access to data networks that have sensitive information can be tightly controlled, as can physical access to the computer rooms or the rooms that hold paper files by implementing biometric scans, Cullen said.
Dual-factor authentication can be added to access portable computer devices which contain patient or business information, Pryse said. "The data housed on the equipment should also be encrypted to prevent unauthorized access in the event of a lost or stolen tablet computer or PDA. The end users should weigh the cost of securing the access and providing adequate firewall protection against the speed or efficiency of patient data entry or retrieval in a live environment."