Download PDF version Contact company
Hospitals have different layers of security and multiple points of entry for employees 
 Hospitals need stronger 'in-depth' physical security at different entry points

Within the course of any given day, a hospital or health care chief security officer (CSO) faces the task of not only protecting multiple points of access but also doing so in a way that enables movement and activity, is convenient for staff and patients and does not impede the facility's primary function: saving lives. Health care facilities exist in a wide variety of medical focus, administrative complexity and size, yet all demand appropriate access control coverage.

Dan DeBlasio, Director of business development, Identity and Access Management (IAM) and  Keith Chapman, Solutions manager of Logical and Physical Card products (IAM) at HID explore the impact and implications of access control solutions in the health care sector.

From the moment you enter a major hospital or health care facility, it is likely that you are being monitored before you have even got out of your car. Regardless of if you pulled the ticket to access the parking garage, presented your employee ID to the parking entry reader or walked through the triage area of the emergency room, some form of access control and security has already come into play, getting stronger and more robust the further you get into the facility. Called "security in-depth", there are many different layers of security that go into health care facilities, with security monitoring becoming stricter the deeper you go. Often, this involves multiple points of entry and numerous levels of security for different strata of employees, typically beginning with an employee ID or access credential. 

While much of what we read about preventing unauthorized access to certain areas within hospitals or health care facilities is positive, many institutions have already begun the process of implementing stronger physical security in the form of secure contactless smart cards. Breaches of physical security and unauthorized access to confidential patient files need to be addressed by putting deliberate procedures in place to audit, track and report their occurrence.

Access control in a challenging environment

Contactless smart cards minimize overhead when dealing with biometric template management and distribution 

Health care facilities and hospitals present unique challenges when it comes to security. The sheer volume of traffic and staffing at a major health care facility rivals any college campus environment. Whether the need is to restrict access to authorized personnel-only areas or protect personal and private patient information in either electronic or paper formats or keep hygiene standards to the maximum level, security within the confines of a health care-related setting is multi-faceted. It requires knowledge of current and future physical and logical access needs, coupled with an understanding of the standards and regulations facing today's health care practitioners.

For years, health care facilities have used a variety of methods to provide individuals with convenient yet secure access to facilities, the PC and the network. Because building access and IT systems have traditionally been separate purchasing decisions for many organizations, health care employees are familiar with being forced to carry multiple cards or tokens, using multiple PINs or passwords to access various systems. These practices resulted in security systems that are cumbersome for the employee to use and difficult costly for the organization to manage and maintain, not to mention, deadly within an emergency setting.

Utilizing both, contact and contactless smart chip technologies, the use of a single card solution for identification, secure access and payments, can provide a unique access control solution for health care settings.

 Having a cumbersome security system can be detrimental in an emergency
 Ease of access for employees is crucial in an emergency setting

Hospitals' staff need access to many different areas within the facility as well as immediate PC access and permission to access confidential client records. Carrying multiple smart cards to access those areas does not help mobility, speed or convenience for staff.

Using a single card also provides an opportunity for hospitals to combine workplace IDs and security access cards with payment cards, enabling employees to carry fewer cards and, for example, enable doctors, nurses and support staff to gain access to secure areas, while also using the same card for visual ID verification and for making purchases in the hospital cafeteria.

Benefits of contactless smart cards

One excellent example of how a contactless smart card-based application can benefit a health care organization can be seen in the use of biometrics within a pharmacy setting. Contactless smart cards minimize overhead when dealing with biometric template management and distribution. Rather than storing biometrics on a server and distributing them over a wired network, a contactless smart card-based system allows biometric templates to be carried by the card holder, offering a stronger level of authentication and security commonly referred to as "Match on Card."

Contactless smart cards can also enhance security and address privacy concerns, as the biometric template is stored on the secure card, rather than passed over a hackable network. Using a smart card for logical access applications can advance security, improve convenience for the end-user and minimize help-desk calls for forgotten passwords for single sign-on cases.

Cost-effective access control solutions for hospitals

 Cost-effective access solutions make it possible for hospitals to leverage their existing infrastructure
 Cost-effective security solutions will allow hospitals to leverage their existing infrastructure

The availability of cost-effective, multi-technology authentication devices is making it possible for hospitals and all its facilities to leverage their existing infrastructure, while adding new functionality at a reasonable cost. The convenience afforded by using a single smart card solution has many organizations re-examining the value of converging currently independent systems to achieve solutions that are robust, easily managed and cost-effective.

Just like any other highly trafficked business, hospitals and health centers find value in IP video surveillance, either manned or unmanned, with manned surveillance for immediate security and unmanned surveillance for audit and forensics.

Protecting patient information with security standards

As with any security implementation, it is always best to look at relevant security standards and regulations driving the organizational needs. Depending on which country you are in, you must consider what applications are already being used by hospitals and if there are any specific pre-requisites. For example, in the US a standard called HIPPA governs the health care market. In Europe no such one standard exists and every country has its own systems and preferences but not overriding legislation.  

As an example, Austrian hospitals are already quite advanced in their use of multi-application smart cards for patients and hospital staff. The Gerrman eGK (elektronische Gesundheitskarte) is the largest European IT project linking all sorts of patient's records and details with each other and enhance this security system by use of smart cards.

Implementing logical access control solutions for greater security

Facing growing pressure and scrutiny from the public, health care CSOs are looking to implement stronger forms of authentication in an effort to restrict access to private patient data. Throughout the course of a day, username and passwords are used to access everything from computers to online Web portals to network resources, but does this mean that passwords are secure? 

As the amount of confidential data becomes increasingly accessible, health care facilities are evaluating stronger security and searching for a replacement for traditional passwords. Unfortunately, many forms of stronger network security have traditionally been linked to poor user experiences and have resulted in poor user adoption. This does not need to be the case. 

Health care facilities are evaluating stronger security and searching for a replacement for traditional passwords. One way this can be accomplished is through the implementation of logical access solutions 

One way this can be accomplished is through the implementation of logical access solutions, which encompass a number of PC- and network-related applications, including secure authentication and/or log-in to the PC or network, secure email, data encryption, file/folder encryption, single sign-on and remote VPN access.

Gaining access to the network, whether for ordering medication from the pharmacy or for accessing films or private patient information, can be mission critical for health care facilities. With doctors and nurses using shared terminals or mobile work stations, ensuring that patient information is secure and accessible is a major issue, especially when it occurs within a life-saving situation. If you lose or forget your password and cannot gain prompt access to patient records, it could cost a life. However, by using either a contact or contactless smart card to authenticate to the mobile terminal or workstation, many of these issues can be alleviated.

All-in-one access control solution

From a convenience perspective, having one card that does it all-a photo ID, an access control card, a cafeteria card and an additional authentication factor for network login-can provide a striking value proposition for organizations in the health care market. Leveraging the smart card across a wide range of applications beyond just opening the door can provide high value to hospitals and health care facilities that are charged with maintaining the highest levels of security, and doing so with a cost structure that saves time and money, in addition to patient's lives. 

The fact that hospitals and health care facilities globally need to comply with strict hygiene standards has also raised the demand for access and security equipment that is waterproof and can be easily sterilised. Hospital staff who have continuous patient contact while simultaneously using their smart cards to gain access to rooms, secure PC applications and patient records, thus benefit from contactless technologies as it helps to control infections and reduce the likelihood of transferring viruses.

The future is contactless smartcards

Looking ahead, the health care sector will continue to improve their physical security systems and improve patients' confidentiality while increasing hygiene standards. Although some countries seem to be more advanced than others, many countries have already realised that contactless smartcards are the means to better current practice and set a standard for years to come. 

Dan DeBlasio of HID Dan DeBlasio
Director of business development,
Identity and Access Management (IAM) 
HID Global
Keith Chapman of HID Keith Chapman
Solutions manager of Logical and Physical Card products (IAM)

HID Global
Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

In case you missed it

What Is The Impact Of Remote Working On Security?
What Is The Impact Of Remote Working On Security?

During the coronavirus lockdown, employees worked from home in record numbers. But the growing trend came with a new set of security challenges. We asked this week’s Expert Panel Roundtable: What is the impact of the transition to remote working/home offices on the security market?

Water Plant Attack Emphasizes Cyber’s Impact On Physical Security
Water Plant Attack Emphasizes Cyber’s Impact On Physical Security

At an Oldsmar, Fla., water treatment facility on Feb. 5, an operator watched a computer screen as someone remotely accessed the system monitoring the water supply and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million. The chemical, also known as lye, is used in small concentrations to control acidity in the water. In larger concentrations, the compound is poisonous – the same corrosive chemical used to eat away at clogged drains. The impact of cybersecurity attacks The incident is the latest example of how cybersecurity attacks can translate into real-world, physical security consequences – even deadly ones.Cybersecurity attacks on small municipal water systems have been a concern among security professionals for years. The computer system was set up to allow remote access only to authorized users. The source of the unauthorized access is unknown. However, the attacker was only in the system for 3 to 5 minutes, and an operator corrected the concentration back to 100 parts per million soon after. It would have taken a day or more for contaminated water to enter the system. In the end, the city’s water supply was not affected. There were other safeguards in place that would have prevented contaminated water from entering the city’s water supply, which serves around 15,000 residents. The remote access used for the attack was disabled pending an investigation by the FBI, Secret Service and Pinellas County Sheriff’s Office. On Feb. 2, a compilation of breached usernames and passwords, known as COMB for “Compilation of Many Breaches,” was leaked online. COMB contains 3.2 billion unique email/password pairs. It was later discovered that the breach included the credentials for the Oldsmar water plant. Water plant attacks feared for years Cybersecurity attacks on small municipal water systems have been a concern among security professionals for years. Florida’s Sen. Marco Rubio tweeted that the attempt to poison the water supply should be treated as a “matter of national security.” “The incident at the Oldsmar water treatment plant is a reminder that our nation’s critical infrastructure is continually at risk; not only from nation-state attackers, but also from malicious actors with unknown motives and goals,” comments Mieng Lim, VP of Product Management at Digital Defense Inc., a provider of vulnerability management and threat assessment solutions.The attack on Oldsmar’s water treatment system shows how critical national infrastructure is increasingly becoming a target for hackers as organizations bring systems online “Our dependency on critical infrastructure – power grids, utilities, water supplies, communications, financial services, emergency services, etc. – on a daily basis emphasizes the need to ensure the systems are defended against any adversary,” Mieng Lim adds. “Proactive security measures are crucial to safeguard critical infrastructure systems when perimeter defenses have been compromised or circumvented. We have to get back to the basics – re-evaluate and rebuild security protections from the ground up.” "This event reinforces the increasing need to authenticate not only users, but the devices and machine identities that are authorized to connect to an organization's network,” adds Chris Hickman, Chief Security Officer at digital identity security vendor Keyfactor. “If your only line of protection is user authentication, it will be compromised. It's not necessarily about who connects to the system, but what that user can access once they're inside. "If the network could have authenticated the validity of the device connecting to the network, the connection would have failed because hackers rarely have possession of authorized devices. This and other cases of hijacked user credentials can be limited or mitigated if devices are issued strong, crypto-derived, unique credentials like a digital certificate. In this case, it looks like the network had trust in the user credential but not in the validity of the device itself. Unfortunately, this kind of scenario is what can happen when zero trust is your end state, not your beginning point." “The attack on Oldsmar’s water treatment system shows how critical national infrastructure is increasingly becoming a target for hackers as organizations bring systems online for the first time as part of digital transformation projects,” says Gareth Williams, Vice President - Secure Communications & Information Systems, Thales UK. “While the move towards greater automation and connected switches and control systems brings unprecedented opportunities, it is not without risk, as anything that is brought online immediately becomes a target to be hacked.” Operational technology to mitigate attacks Williams advises organizations to approach Operational Technology as its own entity and put in place procedures that mitigate against the impact of an attack that could ultimately cost lives. This means understanding what is connected, who has access to it and what else might be at risk should that system be compromised, he says. “Once that is established, they can secure access through protocols like access management and fail-safe systems.”  “The cyberattack against the water supply in Oldsmar should come as a wakeup call,” says Saryu Nayyar, CEO, Gurucul.  “Cybersecurity professionals have been talking about infrastructure vulnerabilities for years, detailing the potential for attacks like this, and this is a near perfect example of what we have been warning about,” she says.  Although this attack was not successful, there is little doubt a skilled attacker could execute a similar infrastructure attack with more destructive results, says Nayyar. Organizations tasked with operating and protecting critical public infrastructure must assume the worst and take more serious measures to protect their environments, she advises. Fortunately, there were backup systems in place in Oldsmar. What could have been a tragedy instead became a cautionary tale. Both physical security and cybersecurity professionals should pay attention.

How Have Security Solutions Failed Our Schools?
How Have Security Solutions Failed Our Schools?

School shootings are a high-profile reminder of the need for the highest levels of security at our schools and education facilities. Increasingly, a remedy to boost the security at schools is to use more technology. However, no technology is a panacea, and ongoing violence and other threats at our schools suggest some level of failure. We asked this week’s Expert Panel Roundtable: How have security solutions failed our schools and what is the solution?