Hospitals Must Combat Threats to Both the Facility and Their Data

Hospitals Must Combat Threats to Both the Facility and Their Data

Hospitals Must Combat Threats to Both the Facility and Their DataThe International Association for Healthcare Security and Safety (IAHSS) reported in its 2012 Crime and Security Trends Survey that the number of healthcare crimes increased by nearly 37 percent in just two years, from just under 15,000 in 2010 to more than 20,500 in 2012. And, according to the Ponemon Institute, nine out of 10 hospitals in the U.S. have suffered a data breach or intrusion in their networks over the past two years. Increasingly, hospital security and information technology (IT) departments must work together to design, implement and maintain robust security capabilities.

Best practices

There are several best practices to consider. First, access control systems should be based on an open architecture, so they can support new capabilities over time. They should use contactless, high-frequency, smart card technology that features mutual authentication and cryptographic protection mechanisms with secret keys. Cards should also employ a secure messaging protocol that is delivered on a trust-based, communication platform within a secure ecosystem of interoperable products.

Another important practice is device authentication with new developments including technologies that recognize anomalies in users’ typical typing style and behavior. The default model for hospitals is to ensure that authenticated users within the hospital may only access their own or their patients’ health records from a known and properly-registered device.

In the case of affiliated doctors, who work with many hospitals, the best approach is to provide them with mobile soft tokens, so they don’t have to carry multiple OTP tokens. Affiliated doctors also should be required to authenticate their devices, both in the hospital and at home or the office.

With these capabilities, hospitals can ensure the highest level of security, convenience, and interoperability, along with the adaptability to meet future requirements.

Future requirements

One future requirement may be the ability to combine multiple applications onto a single card. In addition to centralizing management, this eliminates the need for hospital employees to carry separate cards for opening doors, accessing computers, using time-and-attendance and secure-print-management systems, and making cashless vending purchases. Other applications can include building automation, medical records management, and biometric templates that are stored on the card for additional factors of authentication.

With a highly-secure, smart card foundation in place, hospitals are well positioned to improve risk management and comply with new legislation or regulatory requirements. As an example, the Health Insurance Portability and Accountability Act (HIPAA) imposes strict requirements for accessing medical records, which may necessitate the use of a smart card to enter secure areas or to access IT networks that store patient information.

Hospital visitors

Visitors must also be considered. Paper guest books should be replaced with registration systems that screen, badge and track every visitor and vendor. These systems should support the HL7 interface control, so administrators can match visitors to real-time information about patient admissions and discharges, Status Blue for pre-registering and approved vendors, and access control integration to provide temporary proximity card access to specific guests, such as contractors or temporary employees. They should also support optional screening and watch lists of unwanted visitors. Finally, they should enable the creation of long-term, durable visitor badges for family members who will be visiting a patient frequently over an extended period.

Logical access control

For logical access control, it’s important to move beyond simple, static passwords to strong authentication methods that ensure individuals accessing data are authorized to do so, and are who they claim to be.

Speed and convenience are important -- a hospital campus is essentially made up of multiple remote access areas, such as test rooms where a nurse may need to access digital x-ray results. It would be difficult if staff had to use a strong authentication method that was complicated or required considerable time and/or typing in each area where they must access data. Instead, they should be provided with contactless One Time Password (OTP) login solutions that enable them to easily “tap in and tap out” for computer login and logout with strong authentication.

Logical access control is also important for on-line patient identification and record access. HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) act point the way, but it will be important that solutions be flexible enough to support new regulatory requirements over time.

On-line banking as a model

Hospitals Must Combat Threats to Both the Facility and Their DataWe should look to the consumer, on-line banking model, where a layered approach has proven effective in ensuring that appropriate levels of risk mitigation can be applied. Another key element that can be applied from on-line banking is to validate transactions as well as sessions. Typically, users log onto a site and continue, uninterrupted. With a layered model, a lower-level security check may suffice for users and doctors conversing about symptoms. But, if the user wishes to download sensitive documents, there may need to be multiple, strong, authentication security checks during the session.

Hospitals, their staff and patients face growing security threats. Administrators need a combination of physical access control systems, with integrated visitor management capabilities, and logical access control solutions that take a layered approach to risk mitigation, moving beyond passwords to implement strong authentication.

About the Author

Julian Lovelock is the vice president of product marketing, identity assurance with HID Global.

Featured

  • Making the Grade with Locks and Door Hardware

    Managing and maintaining locks and door hardware across a school district or university campus is a big responsibility. A building’s security needs to change over time as occupancy and use demands evolve, which can make it even more challenging. Knowing the basics of common door hardware, including locks, panic devices and door closers, can make a difference in daily operations and emergency situations. Read Now

  • Choosing the Right Solution

    Today, there is a strong shift from on-prem installations to cloud or hybrid-cloud deployments. As reported in the 2024 Genetec State of Physical Security report, 66% of end users said they will move to managing or storing more physical security in the cloud over the next two years. Read Now

  • New Report Reveals Top Security Risks for U.S. Retail Chains

    Interface Systems, a provider of security, actionable insights, and purpose-built networks for multi-location businesses, has released its 2024 State of Remote Video Monitoring in Retail Chains report. The detailed study analyzed over 2 million monitoring requests across 4,156 retail locations in the United States from September 2023 to August 2024. Read Now

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

Featured Cybersecurity

Webinars

New Products

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3