printer friendly version

Healthcare security without the complexity

Hospitals face many security threats in an environment complicated by high traffic volumes, complex staffing requirements, and a demanding regulatory environment.

Meeting modern security challenges while complying with rules and regulations, such as the recent EU data breach regulations, the UK Data Protection Act (DPA) and other regulatory mandates requires best practices for both physical and IT security, using flexible and scalable access control systems that can combat today’s evolving security threats while supporting future improvements in security and convenience.

Nat Pisupati, regional sales director, Middle East and Africa with HID Global.

It is also important for healthcare institutions to maximise the ongoing value of their investment by ensuring that ID cards used for opening doors can also be used for other applications including time-and-attendance, cashless payment and logical access control to protect IT assets and enhance patient information privacy protection.

Improving physical access control

Hospital security challenges can be extremely complicated. Patients and visitors must feel welcomed and comfortable, yet safe and well protected. Hospitals also must support affiliated doctors who need to carry multiple badges for all the locations they visit. Over time, administrators may want to integrate access control with visitor management, or add video surveillance and other technologies.

This can be difficult to accomplish with legacy systems, which are vulnerable to security threats and can’t easily be upgraded to new features and capabilities. In contrast, the latest physical access control system (PACS) system architectures are based on dynamic technologies, making it significantly easier and less expensive to upgrade them. Benefits of these systems include:

• Improved security: The latest PACS solutions use contactless high frequency smart card technology with mutual authentication and cryptographic protection mechanisms and secret keys. The cards use a secure messaging protocol delivered on a trust-based communication platform within a secure ecosystem of interoperable products, enabling hospitals to achieve the highest level of security, convenience, interoperability and adaptability.

• Simplified system management: protocols like the industry-standard Open Supervised Device Protocol (OSDP) and companion Secure Channel Protocol (SCP) for reader communications replace legacy, unsecured Wiegand technology to provide bidirectional, multi-dropped communication. OSDP extends security from the card reader to the access controller, and reduces costs while improving reader monitoring and servicing by enabling users to re-configure, poll and query readers from a central system. OSDP will also usher in new reader capabilities, including the ability to display real-time evacuation information in the event of an emergency.

• Improved risk management: Today’s platforms enable hospitals to improve risk management and comply with new legislation or regulatory requirements. For example, the UK DPA imposes strict requirements for accessing personal information, such as medical records, which may necessitate the use of a smart card to enter secure areas or to access IT networks that store patient information.

• A path to networked access control: Many institutions are moving to IP-based PACS solutions that are easier to operate and simplify expansion and customisation while enabling integration with other solutions that can share the same network. These solutions move intelligence to the door, which streamlines system monitoring, management and reporting via standard Web browsers. With IP-based solutions, users also can invest in hardware platforms that are not tied to proprietary software, simplifying upgrades and enhancements.

• Ability to add wireless locksets: IP-based access control solutions facilitate deployment of wireless locksets that connect with the online access control system and provide near-online and near-real-time control of the opening. This reduces wiring costs, and alleviates problems with using mechanical keys that are hard to monitor and manage, are vulnerable to theft, and make it difficult to investigate incidents when they occur.

• More secure and simplified visitor management, integrated with the PACS: Today’s visitor management systems enable the screening, badging and tracking all visitors or, at a minimum, those visiting critical areas or during after-hours periods. Systems should support real-time patient feeds using Health Level 7 (HL7) integration, which ensures that no visitor is sent to the wrong location or to see a patient that is no longer checked in.

• Ability to add new capabilities: The latest PACS architectures provide the flexibility to support new applications such as infant protection systems, and biometrics in sensitive areas such as laboratories and research centres.

• Opportunities to do more with the card: Ideally, hospitals should be able to offer physicians, nurses and administrative staff a single card that provides access to, for instance, both the emergency room and the pharmacy, and also can be used for visual ID verification, time-and-attendance logging, payroll transactions, and purchases in the hospital cafeteria. This not only simplifies life for cardholders, but also centralises and streamlines management.

IT and health record security

Patient privacy protection is increasingly important. Health data is at least as valuable as financial data in the on-line banking industry, where a layered system approach is used to ensure that appropriate risk mitigation levels can be applied. Even though patients don’t access healthcare information as frequently as do on-line bankers, and aren’t protected by the same regulatory compliance requirements, they can benefit from the same multi-layered authentication mechanisms, both inside and outside the hospital. Healthcare organisations need a versatile authentication platform with real-time threat detection capabilities in order to effectively implement these five security layers:

• User authentication: Strong authentication ensures individuals accessing data are authorised, and who they claim to be. Speed and convenience are important – it would be difficult if hospital staff had to use a complicated, time-consuming strong authentication method in each area where they must access data. An emerging approach uses emerging Near Field Communications (NFC) technology, enabling users to carry a smart card or smartphone with an authentication credential stored on the device’s secure element (SE) or subscriber identification module (SIM) chip. With these mobile soft tokens, users can simply “tap in” to hospital facilities, VPNs, wireless networks, and cloud- and Web-based applications. Affiliated doctors who might previously have carried as many as 20 one-time password (OTP) tokens will now be able to carry single mobile soft tokens.

• Device authentication: The default model inside the hospital is to ensure that authenticated users within the hospital may only access their own – or their patients’ – health records from a known and properly registered device. Affiliated doctors also should be required to authenticate their devices. New developments include technologies that recognise anomalies in users’ typical typing style and behaviour.

• Transaction authentication with pattern-based intelligence: This, too, has been proven in on-line banking, for validating transactions as well as sessions. Typically, users log onto a site and continue, uninterrupted. With a layered model, a lower-level security check may suffice for users and doctors conversing about symptoms.

• Browser protection: The user’s browser must be part of a secure communication channel. Browser protection can be implemented through simple passive malware detection, but this does not result in the strongest possible endpoint security. It is more effective to use a proactive hardened browser with a mutual secure socket layer (SSL) connection to the application.

• Application security: It is also important to protect applications on mobile devices that are used to deliver sensitive information. The application must be architecturally hardened and capable of executing mutual authentication. Adding this layer makes data theft much more complex and costly for hackers.

Today’s solutions enable healthcare organisations to achieve a versatile PACS that protects everything from hospital doors and storage areas to the cloud and desktops. With proper planning, healthcare institutions will be able to preserve investments in today’s physical access control credential solution as they seamlessly add new capabilities in the future. The result is a fully interoperable, multi-layered and highly adaptable security solution that spans the organisation’s networks, systems and facilities, and has room to grow, evolve and improve over time.

Share this article:

Further reading: