Hospitals face many security threats in an environment complicated by high traffic volumes, complex staffing requirements, and a demanding regulatory environment. In California, hospitals must report any security breach event, after which the California Department of Public Health (CDPH) checks policies, practices and audit trails, and executes inspections and assesses fines. Often, hospital administrators must also follow federal guidelines established by the Centers for Medicare & Medicaid Services (CMS) that, at times, conflict with state rules and result in fines. Other entities that set security guidelines include the Joint Commission accreditation and certification body, which has oversight for physical building security, water, safety, fire, and other security processes, and the Det Norske Veritas (DNV), an independent foundation that works with healthcare authorities and providers to manage risk and improve healthcare delivery. Legislation such as the Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996, which established U.S. standards for privacy and security, also impact hospital access control policies and procedures.
Hospitals face many security threats in an environment complicated by high traffic volumes, complex staffing requirements, and a demanding regulatory environment. In California, hospitals must report any security breach event, after which the California Department of Public Health (CDPH) checks policies, practices and audit trails, and executes inspections and assesses fines. Often, hospital administrators must also follow federal guidelines established by the Centers for Medicare & Medicaid Services (CMS) that, at times, conflict with state rules and result in fines. Other entities that set security guidelines include the Joint Commission accreditation and certification body, which has oversight for physical building security, water, safety, fire, and other security processes, and the Det Norske Veritas (DNV), an independent foundation that works with healthcare authorities and providers to manage risk and improve healthcare delivery. Legislation such as the Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996, which established U.S. standards for privacy and security, also impact hospital access control policies and procedures.
Meeting modern security challenges while complying with these and other regulatory mandates requires best practices for both physical and IT security, using flexible and scalable access control systems that can combat today’s evolving security threats while supporting future improvements in security and convenience. It is also important for healthcare institutions to maximize the ongoing value of their investment by ensuring that ID cards used for opening doors can also be used for other applications including time-and-attendance, cashless payment and logical access control to protect IT assets and enhance patient information privacy protection.
Improving Physical Access Control
Hospital security challenges can be extremely complicated. Patients and visitors must feel welcomed and comfortable, yet safe and well protected. Hospitals also must support affiliated doctors who need to carry multiple badges for all the locations they visit. Over time, administrators may want to integrate access control with visitor management, or add video surveillance and other technologies. This can be difficult to accomplish with legacy systems, which are vulnerable to security threats and can’t easily be upgraded to new features and capabilities. In contrast, the latest physical access control system (PACS) system architectures are based on dynamic technologies, making it significantly easier and less expensive to upgrade them. Benefits of these systems include:
• Improved Security: The latest PACS solutions use contactless high frequency smart card technology with mutual authentication and cryptographic protection mechanisms and secret keys. The cards use a secure messaging protocol delivered on a trust-based communication platform within a secure ecosystem of interoperable products, enabling hospitals to achieve the highest level of security, convenience, interoperability and adaptability.
• Simplified system management: protocols like the industry-standard Open Supervised Device Protocol (OSDP) and companion Secure Channel Protocol (SCP) for reader communications replace legacy, unsecured Wiegand technology to provide bidirectional, multi-dropped communication. OSDP extends security from the card reader to the access controller, and reduces costs while improving reader monitoring and servicing by enabling users to re-configure, poll and query readers from a central system. OSDP will also usher in new reader capabilities, including the ability to display real-time evacuation information in the event of an active shooter crisis.
• Improved risk management: Today’s platforms enable hospitals to improve risk management and comply with new legislation or regulatory requirements. For example, HIPAA imposes strict requirements for accessing medical records, which may necessitate the use of a smart card to enter secure areas or to access IT networks that store patient information.
• A path to networked access control: Many institutions are moving to IP-based PACS solutions that are easier to operate and simplify expansion and customization while enabling integration with other solutions that can share the same network. These solutions move intelligence to the door, which streamlines system monitoring, management and reporting via standard web browsers. With IP-based solutions, users also can invest in hardware platforms that are not tied to proprietary software, simplifying upgrades and enhancements.
• Ability to add wireless locksets: IP-based access control solutions facilitate deployment of wireless locksets that connect with the online access control system and provide near-online and near-real-time control of the opening. This reduces wiring costs, and alleviates problems with using mechanical keys that are hard to monitor and manage, are vulnerable to theft, and make it difficult to investigate incidents when they occur.
• More secure and simplified visitor management, integrated with the PACS: Today’s visitor management systems enable the screening, badging and tracking all visitors or, at a minimum, those visiting critical areas or during “after hours” periods. Systems should support real-time patient feeds using Health Level 7 (HL7) integration, which ensures that no visitor is sent to the wrong location or to see a patient that is no longer checked in. Systems should also pre-register approved vendors and temporary employees through Status Blue integration, and support integration with access control systems for the most efficient badging.
• Ability to add new capabilities: The latest PACS architectures provide the flexibility to support new applications such as infant protection systems, and biometrics in sensitive areas such as laboratories and research centers.
• Opportunities to do more with the card: Ideally, hospitals should be able to offer physicians, nurses and administrative staff a single card that provides access to, for instance, both the emergency room and the pharmacy, and also can be used for visual ID verification, time-and-attendance logging, payroll transactions, and purchases in the hospital cafeteria. This not only simplifies life for cardholders, but also centralizes and streamlines management.
IT and Health Record Security
Patient privacy protection is increasingly important. Health data is at least as valuable as financial data in the on-line banking industry, where a layered system approach is used to ensure that appropriate risk mitigation levels can be applied. Even though patients don’t access healthcare information as frequently as do on-line bankers, and aren’t protected by the same regulatory compliance requirements, they can benefit from the same multi-layered authentication mechanisms, both inside and outside the hospital. Healthcare organizations need a versatile authentication platform with real-time threat detection capabilities in order to effectively implementing these five security layers:
• User Authentication: Strong authentication ensures individuals accessing data are authorized, and who they claim to be. Speed and convenience are important -- it would be difficult if hospital staff had to use a complicated, time-consuming strong authentication method in each area where they must access data. An emerging approach uses emerging Near Field Communications (NFC) technology, enabling users to carry a smart card or smartphone with an authentication credential stored on the device’s secure element (SE) or subscriber identification module (SIM) chip. With these mobile soft tokens, users can simply “tap in” to hospital facilities, VPNs, wireless networks, and cloud- and web-based applications. Affiliated doctors who might previously have carried as many as 20 One Time Password (OTP) tokens will now be able to carry a single mobile soft tokens.
• Device Authentication: The default model inside the hospital is to ensure that authenticated users within the hospital may only access their own -- or their patients’ -- health records from a known and properly registered device. Affiliated doctors also should be required to authenticate their devices. New developments include technologies that recognize anomalies in users’ typical typing style and behavior.
• Transaction Authentication with Pattern-based Intelligence: This, too, has been proven in on-line banking, for validating transactions as well as sessions. Typically, users log onto a site and continue, uninterrupted. With a layered model, a lower-level security check may suffice for users and doctors conversing about symptoms. If the user is a celebrity, or wishes to download sensitive documents, there may be multiple strong authentication security checks during the session.
• Browser protection: The user’s browser must be part of a secure communication channel. Browser protection can be implemented through simple passive malware detection, but this does not result in the strongest possible endpoint security. It is more effective to use a proactive hardened browser with a mutual secure socket layer (SSL) connection to the application.
• Application Security: It is also important to protect applications on mobile devices that are used to deliver sensitive information. The application must be architecturally hardened and capable of executing mutual authentication. Adding this layer makes data theft much more complex and costly for hackers.
Today’s solutions enable healthcare organizations to achieve a versatile PACS that protects everything from hospital doors and storage areas to the cloud and desktops. With proper planning, healthcare institutions will be able to preserve investments in today’s physical access control credential solution as they seamlessly add new capabilities in the future. The result is a fully interoperable, multi-layered and highly adaptable security solution that spans the organization’s networks, systems and facilities, and has room to grow, evolve and improve over time.
By Sheila L. Stromberg, Director of Vertical Markets, Healthcare Solutions, HID Global