Hospitals Must Combat Threats to Both the Facility and Their Data

Hospitals Must Combat Threats to Both the Facility and Their Data

Hospitals Must Combat Threats to Both the Facility and Their DataThe International Association for Healthcare Security and Safety (IAHSS) reported in its 2012 Crime and Security Trends Survey that the number of healthcare crimes increased by nearly 37 percent in just two years, from just under 15,000 in 2010 to more than 20,500 in 2012. And, according to the Ponemon Institute, nine out of 10 hospitals in the U.S. have suffered a data breach or intrusion in their networks over the past two years. Increasingly, hospital security and information technology (IT) departments must work together to design, implement and maintain robust security capabilities.

Best practices

There are several best practices to consider. First, access control systems should be based on an open architecture, so they can support new capabilities over time. They should use contactless, high-frequency, smart card technology that features mutual authentication and cryptographic protection mechanisms with secret keys. Cards should also employ a secure messaging protocol that is delivered on a trust-based, communication platform within a secure ecosystem of interoperable products.

Another important practice is device authentication with new developments including technologies that recognize anomalies in users’ typical typing style and behavior. The default model for hospitals is to ensure that authenticated users within the hospital may only access their own or their patients’ health records from a known and properly-registered device.

In the case of affiliated doctors, who work with many hospitals, the best approach is to provide them with mobile soft tokens, so they don’t have to carry multiple OTP tokens. Affiliated doctors also should be required to authenticate their devices, both in the hospital and at home or the office.

With these capabilities, hospitals can ensure the highest level of security, convenience, and interoperability, along with the adaptability to meet future requirements.

Future requirements

One future requirement may be the ability to combine multiple applications onto a single card. In addition to centralizing management, this eliminates the need for hospital employees to carry separate cards for opening doors, accessing computers, using time-and-attendance and secure-print-management systems, and making cashless vending purchases. Other applications can include building automation, medical records management, and biometric templates that are stored on the card for additional factors of authentication.

With a highly-secure, smart card foundation in place, hospitals are well positioned to improve risk management and comply with new legislation or regulatory requirements. As an example, the Health Insurance Portability and Accountability Act (HIPAA) imposes strict requirements for accessing medical records, which may necessitate the use of a smart card to enter secure areas or to access IT networks that store patient information.

Hospital visitors

Visitors must also be considered. Paper guest books should be replaced with registration systems that screen, badge and track every visitor and vendor. These systems should support the HL7 interface control, so administrators can match visitors to real-time information about patient admissions and discharges, Status Blue for pre-registering and approved vendors, and access control integration to provide temporary proximity card access to specific guests, such as contractors or temporary employees. They should also support optional screening and watch lists of unwanted visitors. Finally, they should enable the creation of long-term, durable visitor badges for family members who will be visiting a patient frequently over an extended period.

Logical access control

For logical access control, it’s important to move beyond simple, static passwords to strong authentication methods that ensure individuals accessing data are authorized to do so, and are who they claim to be.

Speed and convenience are important -- a hospital campus is essentially made up of multiple remote access areas, such as test rooms where a nurse may need to access digital x-ray results. It would be difficult if staff had to use a strong authentication method that was complicated or required considerable time and/or typing in each area where they must access data. Instead, they should be provided with contactless One Time Password (OTP) login solutions that enable them to easily “tap in and tap out” for computer login and logout with strong authentication.

Logical access control is also important for on-line patient identification and record access. HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) act point the way, but it will be important that solutions be flexible enough to support new regulatory requirements over time.

On-line banking as a model

Hospitals Must Combat Threats to Both the Facility and Their DataWe should look to the consumer, on-line banking model, where a layered approach has proven effective in ensuring that appropriate levels of risk mitigation can be applied. Another key element that can be applied from on-line banking is to validate transactions as well as sessions. Typically, users log onto a site and continue, uninterrupted. With a layered model, a lower-level security check may suffice for users and doctors conversing about symptoms. But, if the user wishes to download sensitive documents, there may need to be multiple, strong, authentication security checks during the session.

Hospitals, their staff and patients face growing security threats. Administrators need a combination of physical access control systems, with integrated visitor management capabilities, and logical access control solutions that take a layered approach to risk mitigation, moving beyond passwords to implement strong authentication.

About the Author

Julian Lovelock is the vice president of product marketing, identity assurance with HID Global.

Featured

  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • The Power of a Layered Approach to Safety

    In a perfect world, every school would have an unlimited budget to help secure their schools. In reality, schools must prioritize what budget they have while navigating the complexities surrounding school security and lockdown. Read Now

  • How a Security System Can Enhance Arena Safety and the Fan Experience

    Ensuring guests have both a memorable experience and a safe one is no small feat for your physical security team. Stadiums, ballparks, arenas, and other large event venues are increasingly leveraging new technologies to transform the fan experience and maintain a high level of security. The goal is to preserve the integrity and excitement of the event while enhancing security and remaining “behind the scenes.” Read Now

  • Protecting Data is Critical

    To say that the Internet of Things (IoT) has become a part of everyday life would be a dramatic understatement. At this point, you would be hard-pressed to find an electronic device that is not connected to the internet. Read Now

Featured Cybersecurity

Webinars

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3