Join the Team
Facility and IT security systems converge to manage security
- By Brandon Arcment
- Nov 01, 2015
Now that mobile identities can
be carried on phones for
physical security applications,
they are merging with smart
cards into centralized identity
management systems. Organizations
can use either or
both to secure access to the
door, data and cloud applications.
The goal is a unified system
that enables strong
authentication and card management
capabilities for computer
and network logon,
while also ensuring that physical
and logical identities can
be managed on a combination
of plastic cards, smartphones
and other mobile devices.
This trend is having a big impact on physical
and IT security departments at hospitals
and other large facilities and campuses. CIOs
and CSOs have both gotten much more
involved with each other in deployment decisions,
creating new opportunities to maximize
security and efficiency.
Evolving Roles for
CIOs and CSOs
It is increasingly important that facility and
information security teams work together to
gain a better mutual understanding of today’s
threats, and how best to combat them, while
coordinating system workflow and security
enhancements. The two departments should
collaborate closely on all aspects of designing,
implementing and maintaining robust security
capabilities. Both teams must understand
and follow best practices that extend across
physical and logical access control.
The physical security market has been at
the front lines of security convergence since
the transition from analog video surveillance
cameras to networked solutions. IT
staff now heavily influences technology purchasing
and daily oversight in this area.
There also has been a push to integrate
video, access control, intrusion detection
and other system components into Physical
Security Information Management (PSIM)
and other unified systems. This convergence
trend is accelerating with the move to ID
cards and mobile phones used together for
physical and logical access. The same card
used to open a door can now also have “tap”
authentication capabilities for logical access
control—it can be tapped to a laptop, tablet,
phone or other NFC-enabled device to
access data, cloud apps and web-based services,
replacing dedicated one time password
(OTP) solutions. And that same device can
be turned into a trusted credential that can
be used to unlock doors and open gates.
Issues at the Intersection
As physical and logical access requirements
intersect, only platforms based on open standards
will enable the move to mobile access
control, converged solutions, and web-based
credential provisioning. Solutions can be
deployed all at once, or gradually and selectively
as needed. For instance, not everyone in
the hospital will need mobile access on smartphones
for opening doors. Visual identification
enabled by traditional ID badges remains
very important in the hospital setting, so
cards will need to coexist with mobile IDs.
Another decision is whether to provision
mobile access only to company-issued devices,
or to support a Bring Your Own Device
(BYOD) model, and how to do that.
Regardless of the chosen mobility strategy,
the access control platform will need to support
the broadest possible range of devices
without the need for additional sleeves or
other accessories. Today’s most versatile solutions
support various read ranges and enable
phones to open doors not just by tapping
them to a reader but also by twisting them
from a distance as a user drives or walks up to
it. Hospitals will need to determine the types
of doors to be mobile-enabled, what kinds of
features to incorporate, and which entry
points will benefit most from various capabilities.
Using the same access control platform, the
hospital also can assess its logical access
needs. This includes looking at tap authentication
as a more secure and convenient way
for users to access network resources, cloud
apps and web-based services using the same
ID card that opens doors. Tap authentication
is particularly attractive for mobile device
users. In today’s mobile-first world, employees
expect access to corporate cloud applications,
data and services anywhere, at any
time, from their preferred mobile device. This anywhere, anytime access can potentially make networks more vulnerable
to security breaches. Tap authentication solves these security
problems while also providing greater user convenience.
Implementation
Policy development is an important area, including updating old procedures
to address new capabilities, and writing procedures to address
new technologies. Organizations also need a robust process for managing
users and the entire life cycle of mobile identities. This can be
handled internally, or outsourced through offerings like HID Global’s
Secure Identity Services. This offering is used to manage the entire
process of how an employee is on-boarded and issued a mobile identity,
how to issue an additional mobile identity when visiting remote
offices, and how to remove a digital key from a device if an employee
reports it lost or stolen. Mobile identities can also be configured to
only engage with readers when the mobile device is unlocked. This
means that an unauthorized user would have to get around the device
PIN or biometric authentication to be able to use it to open doors and
access the building.
For logical access control, a hospital can employ the same access
control system to implement and manage a simple process for using ID
cards and mobile devices to access data and cloud services. After users
tap their card to their device, the OTP is unusable. There are no additional
tokens to deploy and manage, and users have only one item to
carry—their smart card—and no longer must remember or type a
complex password.
As physical and on-line access applications merge onto a combination
of cards and phones, a hospitals physical and information security
teams will learn how to manage multiple ID numbers for multiple
applications on multiple devices. The identity management system will
need to support multiple application identities with different lifecycles,
while also enabling different groups within an organization to independently
take responsibility for their own application and identity
lifecycle needs.
Special Healthcare Considerations
Threats to hospitals and other healthcare facilities can be divided into
those to the safety of staff, patients and visitors, and those to the security
of patient information and other data. Physical security threats can
be difficult to combat because of the modern hospital’s typically large
campus size and often geographically dispersed nature of many facilities.
There is also the need to ensure emergency preparedness for natural
disasters.
Another challenge is supporting secure access from affiliated doctors
who may work with many different institutions, requiring them to
carry multiple badges for all the locations they visit. Visitors are also a
challenge—some may pose a threat, all must be protected, and doing
so is more difficult during “after hours” periods and in critical areas
such as labor and delivery floors and pediatric wards.
On the information security side, threats to patient privacy take
many forms, and safeguards must extend to electronically prescribed
medications, as well. In the United States, HIPAA and the HITECH act
create the need for process and workflow changes, as well as technology
investments in a combination of cybersecurity and privacy protection.
Healthcare institutions also must comply with mandates established
by the Drug Enforcement Agency’s (DEA) Interim Final Rule
(IFR) for Electronic Prescriptions for Controlled Substances (EPCS).
The EPCS regulation not only creates convenience for practitioners
and patients through allowing electronic transmittal of prescriptions
for controlled drugs, it also enhances security when implemented in a
DEA-compliant fashion. Compliance requires using a software application
that conforms to regulatory standards and is identity-proofed
and credentialed for two-factor authentication.
To keep up with these and other threats and regulatory requirements,
hospitals must take a unified approach to opening doors and gaining
secure access to data, patient information and hospital applications. The
latest solutions support many access control applications on the same
smart card, from access control for the parking lot, main door, emergency
room and pharmacy to visual ID verification, time-and-attendance,
payroll transactions and cafeteria purchases. They also enable the
integration of visitor management systems to optimize badging efficiency
as part of a complete solution that supports real-time patient feeds
and Health Level Seven International (HL7) integration.
On the information security side, the access control system must
employ strong authentication and adequate security so that patient
health information is protected in an increasingly digital world. With
the right infrastructure in place, healthcare institutions can meet
today’s security and compliance needs while continually improving
security and convenience, protecting patient privacy, and increasing
the value of their investment. Tap authentication is particularly valuable
for information security in the healthcare environment, reducing
the need for complex passwords and diminishing password fatigue for
users who might have to log in 20 or more times each day in order to
access the facility’s enterprise data and services. Tap authentication
helps hospitals align information security and safety, meet compliance
needs, and ensure that patient privacy is protected.
Finally, the threat of fraud in electronically prescribed medications
can be combated through systems that employ unique physical information
such as a fingerprint or iris scan, or use physical objects, which
in the U.S. can be a FIPS 140-2 certified cryptographic key, hard token
or card. Security is improved by leveraging public key infrastructure
(PKI) using on-site or cloud-based validation services between all relying
parties, elevating the trusted transaction which reduces or eliminates
the opportunity for breach.
It has become increasingly important that facility and information
security teams work together to fully understand today’s threats and how
best to combat them. As they follow a similar path
to that of most enterprises, healthcare institutions
are adopting converged solutions to secure access
to everything from the doors to computers, data,
applications and cloud-based services.
This article originally appeared in the November 2015 issue of Security Today.