Industry regulations and demands are pushing for convergence of physical and IT access control as well. "The Health Information Technology for Economic and Clinical Health Act and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) legislation requirements are pushing health care organizations to facilitate increased security levels for patient and other critical information," said Lisa Pryse, President of the Health Care Division, Old Dominion Security. "Though bandwidth is scrutinized to provide for multiple secure uses, more security systems are centralized into one area as well as coordinated with the IT department."
Challenges
When the physical and logical access control systems are installed by different integrators, the foremost problem faced is compatibility between the two systems, as the installers might not be trained on both systems, said Eric Assouline, Export Sales Manager, CDVI Group.
Another problem is that the systems would run separately and likely would not read each other's credentials, nor would a smart card carry a biometric template that helps lower network traffic and provide greater privacy for the employee, Cullen said. "Interoperability of the systems delivers a flow of critical information from disparate systems to the right person at the right time. Communication systems enable visibility of information up- and downstream, avoiding costly bottlenecks."
Most often the problem is the lack of open standards in health care IT solutions, Botti said. "If the vendor of choice uses a closed system with proprietary or little API support, the integration between logical and physical access systems becomes a cumbersome and often expensive customized effort. There would also be issues with correlating data between the disparate systems, because there is no real free exchange of data between these solutions. The integration done is for a very narrow band of use cases and tends to miss backend analysis and correlation, which results in additional lengthy and expensive integration efforts."
Teamwork
Ensuring smooth integration between physical access control, logical access control and other security systems is not the sole responsibility of the systems integrator. Security managers and CIOs acting on behalf of the institutions should also thoroughly understand both the existing systems and potential new systems to get a clear idea of how convergence works.
Typically during integration, solution providers have tried to investigate what existing security solutions are in place and where to leverage existing infrastructure components, such as badges or identity stores, Botti said. "If
 |
| Dave Cullen, Director of Business Development for Health Care, Lumidigm |
possible, instill an interface as part of the implementation of a logical system that provides a single source provisioning solution between the physical access and logical access identity stores."
A converged physical and logical access control system often falls under the CIO's jurisdiction, with the security manager reporting to the CIO. In health care facilities, however, it is often divided between two distinct management chains, pitting physical security against logical security, Botti said. To avoid this standoff, both the CIO and security manager should understand both physical and logical systems to optimize performance, Assouline said.
"CIOs develop the long-term strategic direction of the hospital, and IT is at the core of reducing health care costs and establishing efficient processes," Cullen said. "Protecting these investments is also the responsibility of the CIO and included in this plan should be a strategy for streamlined physical and logical access controls. Streamlining backend identity and access management systems is only the first step to an efficient security infrastructure. It helps when the CIO understands both worlds, but it is equally important that the security manager likewise understands both types of systems."
"More CIOs now partner with security managers in order to manage a complete physical and logical access control system," said Brian Stemp, PM of Access Control in EMEA, ADT Security. "The responsibilities of each position could be influenced by the budget provided for each department, yet the two sides need to establish close ties in order to deliver efficient and solid work."
Drivers
The drivers for the convergence of physical and logical access control systems in health care institutions are reduced cost, increased security and reliability in the installed system. New platforms used for physical access control open up possibilities to integrate with logical access control faster and easier, while costs have decreased due to a wider selection of solutions, Assouline said.
Converged systems are driven by the desire to reduce operating costs and redundant components when examining the solutions from an enterprise-level view, Botti said. "In some cases, it is to reduce the overall complexity of the entire ecosystem — reducing the number of badges such that physical and logical access can be controlled with the same token."