Organizing a Team
Identity management systems are centralized within mobile platforms
- By Brandon Arcment
- Apr 01, 2016
Now that mobile identities can be carried on
phones for physical security applications, they
are merging with smart cards into centralized
identity management systems. Organizations
can use either or both to secure access to the
door, data and cloud applications. The goal is a
unified system that enables strong authentication
and card management capabilities for computer
and network logon, while also ensuring
that physical and logical identities can be managed
on a combination of plastic cards, smartphones
and other mobile devices.
This trend is having a big impact on physical and IT security
departments at hospitals and other large facilities and campuses. CIOs
and CSOs have both gotten much more involved with each other in
deployment decisions, creating new opportunities to maximize security
and efficiency.
Evolving Roles for CIOs and CSOs
It is increasingly important that facility and information security
teams work together to gain a better mutual understanding of today’s
threats, and how best to combat them, while also coordinating system
workflow and security enhancements. The two departments should
collaborate closely on all aspects of designing, implementing and
maintaining robust security capabilities. Both teams also must understand
and follow best practices that extend across physical and logical
access control.
The physical security market has been at the front lines of security
convergence since the transition from analog video surveillance cameras
to networked solutions. IT staff now heavily influences technology
purchasing and daily oversight in this area. There also has been a push
to integrate video, access control, intrusion detection and other system
components into Physical Security Information Management (PSIM)
and other unified systems.
Now, this convergence trend is accelerating with the move to ID
cards and mobile phones used together for physical and logical access.
The same card used to open a door can now also have “tap” authentication
capabilities for logical access control. It can be tapped to a laptop,
tablet, phone or other NFC-enabled device to access data, cloud apps
and web-based services, replacing dedicated one time password (OTP)
solutions. And that same device can be turned into a trusted credential
that can be used to unlock doors and open gates.
Issues at the Intersection
As physical and logical access requirements intersect, only platforms
based on open standards will enable the move to mobile access control,
converged solutions, and web-based credential provisioning. Solutions
can be deployed all at once, or gradually and selectively as needed. For
instance, not everyone in a hospital will need mobile access on smartphones
for opening doors. Visual identification enabled by traditional
ID badges remains very important in the hospital setting, so cards will
need to coexist with mobile IDs. Another decision is whether to provide
mobile access only to company-issued devices, or to support a
Bring Your Own Device (BYOD) model, and how to do that.
Regardless of the chosen mobility strategy, the access control platform
will need to support the broadest possible range of devices without
the need for additional sleeves or other accessories. Today’s most
versatile solutions support various read ranges and enable phones to
open doors not just by tapping them to a reader but also by twisting
them from a distance as a user drives or walks up to it. Hospitals will
need to determine the types of doors to be mobile-enabled, what kinds
of features to incorporate, and which entry points will benefit most
from various capabilities.
Using the same access control platform, the hospital also can assess
its logical access needs. This includes looking at tap authentication as
a more secure and convenient way for users to access network resources,
cloud apps and web-based services using the same ID card that
opens doors. Tap authentication is particularly attractive for mobile
device users. In today’s mobile-first world, employees expect access to
corporate cloud applications, data and services anywhere, at any time,
from their preferred mobile device. This anywhere, anytime access can
potentially make networks more vulnerable to security breaches. Tap
authentication solves these security problems while also providing
greater user convenience.
Implementation
Policy development is an important area, including updating old procedures
to address new capabilities, and writing procedures to address
new technologies. Organizations also need a robust process for managing
users and the entire life cycle of mobile identities. This can be
handled internally, or outsourced through offerings like HID Global’s
Secure Identity Services. HID Global’s offering is used to manage the
entire process of how an employee is on-boarded and issued a mobile
identity, how to issue an additional mobile identity when visiting
remote offices, and how to remove a digital key from a device if an
employee reports it lost or stolen.
Mobile identities can also be configured to only engage with readers
when the mobile device is unlocked. This means that an unauthorized
user would have to get around the device PIN or biometric authentication
to be able to use it to open doors and access the building.
For logical access control, a hospital can employ the same access
control system to implement and manage a simple process for using ID
cards and mobile devices to access data and cloud services. After users
tap their card to their device, the OTP is unusable. There are no additional
tokens to deploy and manage, and users have only one item to
carry, their smart card, and no longer must remember or type a complex
password.
As physical and on-line access applications merge onto a combination
of cards and phones, a hospitals physical and information security
teams will learn how to manage multiple ID numbers for multiple
applications on multiple devices. The identity management system will
need to support multiple application identities with different lifecycles,
while also enabling different groups within an organization to independently
take responsibility for their own application and identity
lifecycle needs.
Special Healthcare Considerations
Threats to hospitals and other healthcare facilities can be divided into
those to the safety of staff, patients and visitors, and those to the security
of patient information and other data. Physical security threats can
be difficult to combat because of the modern hospital’s typically large
campus size and often geographically dispersed nature of many facilities.
There is also the need to ensure emergency preparedness for natural
disasters.
Another challenge is supporting secure access from affiliated doctors
who may work with many different institutions, requiring them to
carry multiple badges for all the locations they visit. Visitors are also a
challenge. Some may pose a threat, all must be protected, and doing so
is more difficult during “after hours” periods and in critical areas such
as labor and delivery floors and pediatric wards.
On the information security side, threats to patient privacy take many
forms, and safeguards must extend to electronically prescribed medications,
as well. In the United States, HIPAA and the HITECH act create
the need for process and workflow changes, as well as technology investments
in a combination of cybersecurity and privacy protection.
Healthcare institutions also must comply with mandates established
by the U.S. Drug Enforcement Agency’s (DEA) Interim Final Rule
(IFR) for Electronic Prescriptions for Controlled Substances (EPCS).
The EPCS regulation not only creates convenience for practitioners
and patients through allowing electronic transmittal of prescriptions
for controlled drugs, it also enhances security when implemented in a
DEA-compliant fashion. Compliance requires using a software application
that conforms to regulatory standards and is identity-proofed
and credentialed for two-factor authentication.
To keep up with these and other threats and regulatory requirements,
hospitals must take a unified approach to opening doors and gaining
secure access to data, patient information and hospital applications.
The latest solutions support many access control applications on
the same smart card, from access control for the parking lot, main
door, emergency room and pharmacy to visual ID verification, timeand-
attendance, payroll transactions and cafeteria purchases. They
also enable the integration of visitor management systems to optimize
badging efficiency as part of a complete solution that supports
real-time patient feeds and Health Level Seven International (HL7)
integration.
On the information security side, the access control system must
employ strong authentication and adequate security so that patient
health information is protected in an increasingly digital world. With
the right infrastructure in place, healthcare institutions can meet
today’s security and compliance needs while continually improving
security and convenience, protecting patient privacy, and increasing
the value of their investment.
Tap authentication is particularly valuable for information security
in the healthcare environment, reducing the need for complex passwords
and diminishing password fatigue for users who might have to
log in 20 or more times each day in order to access the facility’s enterprise
data and services. Tap authentication helps hospitals align information
security and safety, meet compliance needs and ensure that
patient privacy is protected.
Finally, the threat of fraud in electronically prescribed medications
can be combated through systems that employ unique physical information
such as a fingerprint or iris scan, or use physical objects, which,
in the United States, can be a FIPS 140-2 certified cryptographic key,
hard token or card. Security is improved by leveraging public key
infrastructure (PKI) using on-site or cloud-based validation services
between all relying parties, elevating the trusted transaction which
reduces or eliminates the opportunity for breach.
It has become increasingly important that facility and information
security teams work together to fully understand today’s threats and how
best to combat them. As they follow a similar path
to that of most enterprises, healthcare institutions
are adopting converged solutions to secure access
to everything from the doors to computers, data,
applications and cloud-based services.
This article originally appeared in the April 2016 issue of Security Today.