Hospitals Must Combat Threats to Both the Facility and Their Data

Hospitals Must Combat Threats to Both the Facility and Their Data

Hospitals Must Combat Threats to Both the Facility and Their DataThe International Association for Healthcare Security and Safety (IAHSS) reported in its 2012 Crime and Security Trends Survey that the number of healthcare crimes increased by nearly 37 percent in just two years, from just under 15,000 in 2010 to more than 20,500 in 2012. And, according to the Ponemon Institute, nine out of 10 hospitals in the U.S. have suffered a data breach or intrusion in their networks over the past two years. Increasingly, hospital security and information technology (IT) departments must work together to design, implement and maintain robust security capabilities.

Best practices

There are several best practices to consider. First, access control systems should be based on an open architecture, so they can support new capabilities over time. They should use contactless, high-frequency, smart card technology that features mutual authentication and cryptographic protection mechanisms with secret keys. Cards should also employ a secure messaging protocol that is delivered on a trust-based, communication platform within a secure ecosystem of interoperable products.

Another important practice is device authentication with new developments including technologies that recognize anomalies in users’ typical typing style and behavior. The default model for hospitals is to ensure that authenticated users within the hospital may only access their own or their patients’ health records from a known and properly-registered device.

In the case of affiliated doctors, who work with many hospitals, the best approach is to provide them with mobile soft tokens, so they don’t have to carry multiple OTP tokens. Affiliated doctors also should be required to authenticate their devices, both in the hospital and at home or the office.

With these capabilities, hospitals can ensure the highest level of security, convenience, and interoperability, along with the adaptability to meet future requirements.

Future requirements

One future requirement may be the ability to combine multiple applications onto a single card. In addition to centralizing management, this eliminates the need for hospital employees to carry separate cards for opening doors, accessing computers, using time-and-attendance and secure-print-management systems, and making cashless vending purchases. Other applications can include building automation, medical records management, and biometric templates that are stored on the card for additional factors of authentication.

With a highly-secure, smart card foundation in place, hospitals are well positioned to improve risk management and comply with new legislation or regulatory requirements. As an example, the Health Insurance Portability and Accountability Act (HIPAA) imposes strict requirements for accessing medical records, which may necessitate the use of a smart card to enter secure areas or to access IT networks that store patient information.

Hospital visitors

Visitors must also be considered. Paper guest books should be replaced with registration systems that screen, badge and track every visitor and vendor. These systems should support the HL7 interface control, so administrators can match visitors to real-time information about patient admissions and discharges, Status Blue for pre-registering and approved vendors, and access control integration to provide temporary proximity card access to specific guests, such as contractors or temporary employees. They should also support optional screening and watch lists of unwanted visitors. Finally, they should enable the creation of long-term, durable visitor badges for family members who will be visiting a patient frequently over an extended period.

Logical access control

For logical access control, it’s important to move beyond simple, static passwords to strong authentication methods that ensure individuals accessing data are authorized to do so, and are who they claim to be.

Speed and convenience are important -- a hospital campus is essentially made up of multiple remote access areas, such as test rooms where a nurse may need to access digital x-ray results. It would be difficult if staff had to use a strong authentication method that was complicated or required considerable time and/or typing in each area where they must access data. Instead, they should be provided with contactless One Time Password (OTP) login solutions that enable them to easily “tap in and tap out” for computer login and logout with strong authentication.

Logical access control is also important for on-line patient identification and record access. HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) act point the way, but it will be important that solutions be flexible enough to support new regulatory requirements over time.

On-line banking as a model

Hospitals Must Combat Threats to Both the Facility and Their DataWe should look to the consumer, on-line banking model, where a layered approach has proven effective in ensuring that appropriate levels of risk mitigation can be applied. Another key element that can be applied from on-line banking is to validate transactions as well as sessions. Typically, users log onto a site and continue, uninterrupted. With a layered model, a lower-level security check may suffice for users and doctors conversing about symptoms. But, if the user wishes to download sensitive documents, there may need to be multiple, strong, authentication security checks during the session.

Hospitals, their staff and patients face growing security threats. Administrators need a combination of physical access control systems, with integrated visitor management capabilities, and logical access control solutions that take a layered approach to risk mitigation, moving beyond passwords to implement strong authentication.

About the Author

Julian Lovelock is the vice president of product marketing, identity assurance with HID Global.

Featured

  • Survey: 54% of Organizations Cite Technical Debt as Top Hurdle to Identity System Modernization

    Modernizing identity systems is proving difficult for organizations due to two key challenges: decades of accumulated Identity and Access Management (IAM) technical debt and the complexity of managing access across multiple identity providers (IDPs). These findings come from the new Strata Identity-commissioned report, State of Multi-Cloud Identity: Insights and Trends for 2025. The report, based on survey data from the Cloud Security Alliance (CSA), highlights trends and challenges in securing cloud environments. The CSA is the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

  • Study: Only 35 Percent of Companies Include Cybersecurity Teams When Implementing AI

    Only 35 percent of cybersecurity professionals or teams are involved in the development of policy governing the use of AI technology in their enterprise, and nearly half (45 percent) report no involvement in the development, onboarding, or implementation of AI solutions, according to the recently released 2024 State of Cybersecurity survey report from ISACA, a global professional association advancing trust in technology. Read Now

  • New Report Series Highlights E-Commerce Threats, Fraud Against Retailers

    Trustwave, a cybersecurity and managed security services provider, recently released a series of reports detailing the threats facing the retail sector, marking the second year of its ongoing research into these critical security issues. Read Now

  • Stay Secure in 2024: Updated Cybersecurity Tips for the Office and at Home

    Cyber criminals get more inventive every year. Cybersecurity threats continue to evolve and are a moving target for business owners in 2024. Companies large and small need to employ cybersecurity best practices throughout their organization. That includes security integrators, manufacturers, and end users. Read Now

Featured Cybersecurity

Webinars

New Products

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3