Organizing a Team

Identity management systems are centralized within mobile platforms

Now that mobile identities can be carried on phones for physical security applications, they are merging with smart cards into centralized identity management systems. Organizations can use either or both to secure access to the door, data and cloud applications. The goal is a unified system that enables strong authentication and card management capabilities for computer and network logon, while also ensuring that physical and logical identities can be managed on a combination of plastic cards, smartphones and other mobile devices.

This trend is having a big impact on physical and IT security departments at hospitals and other large facilities and campuses. CIOs and CSOs have both gotten much more involved with each other in deployment decisions, creating new opportunities to maximize security and efficiency.

Evolving Roles for CIOs and CSOs

It is increasingly important that facility and information security teams work together to gain a better mutual understanding of today’s threats, and how best to combat them, while also coordinating system workflow and security enhancements. The two departments should collaborate closely on all aspects of designing, implementing and maintaining robust security capabilities. Both teams also must understand and follow best practices that extend across physical and logical access control.

The physical security market has been at the front lines of security convergence since the transition from analog video surveillance cameras to networked solutions. IT staff now heavily influences technology purchasing and daily oversight in this area. There also has been a push to integrate video, access control, intrusion detection and other system components into Physical Security Information Management (PSIM) and other unified systems.

Now, this convergence trend is accelerating with the move to ID cards and mobile phones used together for physical and logical access. The same card used to open a door can now also have “tap” authentication capabilities for logical access control. It can be tapped to a laptop, tablet, phone or other NFC-enabled device to access data, cloud apps and web-based services, replacing dedicated one time password (OTP) solutions. And that same device can be turned into a trusted credential that can be used to unlock doors and open gates.

Issues at the Intersection

As physical and logical access requirements intersect, only platforms based on open standards will enable the move to mobile access control, converged solutions, and web-based credential provisioning. Solutions can be deployed all at once, or gradually and selectively as needed. For instance, not everyone in a hospital will need mobile access on smartphones for opening doors. Visual identification enabled by traditional ID badges remains very important in the hospital setting, so cards will need to coexist with mobile IDs. Another decision is whether to provide mobile access only to company-issued devices, or to support a Bring Your Own Device (BYOD) model, and how to do that.

Regardless of the chosen mobility strategy, the access control platform will need to support the broadest possible range of devices without the need for additional sleeves or other accessories. Today’s most versatile solutions support various read ranges and enable phones to open doors not just by tapping them to a reader but also by twisting them from a distance as a user drives or walks up to it. Hospitals will need to determine the types of doors to be mobile-enabled, what kinds of features to incorporate, and which entry points will benefit most from various capabilities.

Using the same access control platform, the hospital also can assess its logical access needs. This includes looking at tap authentication as a more secure and convenient way for users to access network resources, cloud apps and web-based services using the same ID card that opens doors. Tap authentication is particularly attractive for mobile device users. In today’s mobile-first world, employees expect access to corporate cloud applications, data and services anywhere, at any time, from their preferred mobile device. This anywhere, anytime access can potentially make networks more vulnerable to security breaches. Tap authentication solves these security problems while also providing greater user convenience.

Implementation

Policy development is an important area, including updating old procedures to address new capabilities, and writing procedures to address new technologies. Organizations also need a robust process for managing users and the entire life cycle of mobile identities. This can be handled internally, or outsourced through offerings like HID Global’s Secure Identity Services. HID Global’s offering is used to manage the entire process of how an employee is on-boarded and issued a mobile identity, how to issue an additional mobile identity when visiting remote offices, and how to remove a digital key from a device if an employee reports it lost or stolen.

Mobile identities can also be configured to only engage with readers when the mobile device is unlocked. This means that an unauthorized user would have to get around the device PIN or biometric authentication to be able to use it to open doors and access the building.

For logical access control, a hospital can employ the same access control system to implement and manage a simple process for using ID cards and mobile devices to access data and cloud services. After users tap their card to their device, the OTP is unusable. There are no additional tokens to deploy and manage, and users have only one item to carry, their smart card, and no longer must remember or type a complex password.

As physical and on-line access applications merge onto a combination of cards and phones, a hospitals physical and information security teams will learn how to manage multiple ID numbers for multiple applications on multiple devices. The identity management system will need to support multiple application identities with different lifecycles, while also enabling different groups within an organization to independently take responsibility for their own application and identity lifecycle needs.

Special Healthcare Considerations

Threats to hospitals and other healthcare facilities can be divided into those to the safety of staff, patients and visitors, and those to the security of patient information and other data. Physical security threats can be difficult to combat because of the modern hospital’s typically large campus size and often geographically dispersed nature of many facilities. There is also the need to ensure emergency preparedness for natural disasters.

Another challenge is supporting secure access from affiliated doctors who may work with many different institutions, requiring them to carry multiple badges for all the locations they visit. Visitors are also a challenge. Some may pose a threat, all must be protected, and doing so is more difficult during “after hours” periods and in critical areas such as labor and delivery floors and pediatric wards.

On the information security side, threats to patient privacy take many forms, and safeguards must extend to electronically prescribed medications, as well. In the United States, HIPAA and the HITECH act create the need for process and workflow changes, as well as technology investments in a combination of cybersecurity and privacy protection.

Healthcare institutions also must comply with mandates established by the U.S. Drug Enforcement Agency’s (DEA) Interim Final Rule (IFR) for Electronic Prescriptions for Controlled Substances (EPCS). The EPCS regulation not only creates convenience for practitioners and patients through allowing electronic transmittal of prescriptions for controlled drugs, it also enhances security when implemented in a DEA-compliant fashion. Compliance requires using a software application that conforms to regulatory standards and is identity-proofed and credentialed for two-factor authentication.

To keep up with these and other threats and regulatory requirements, hospitals must take a unified approach to opening doors and gaining secure access to data, patient information and hospital applications.

The latest solutions support many access control applications on the same smart card, from access control for the parking lot, main door, emergency room and pharmacy to visual ID verification, timeand- attendance, payroll transactions and cafeteria purchases. They also enable the integration of visitor management systems to optimize badging efficiency as part of a complete solution that supports real-time patient feeds and Health Level Seven International (HL7) integration.

On the information security side, the access control system must employ strong authentication and adequate security so that patient health information is protected in an increasingly digital world. With the right infrastructure in place, healthcare institutions can meet today’s security and compliance needs while continually improving security and convenience, protecting patient privacy, and increasing the value of their investment.

Tap authentication is particularly valuable for information security in the healthcare environment, reducing the need for complex passwords and diminishing password fatigue for users who might have to log in 20 or more times each day in order to access the facility’s enterprise data and services. Tap authentication helps hospitals align information security and safety, meet compliance needs and ensure that patient privacy is protected.

Finally, the threat of fraud in electronically prescribed medications can be combated through systems that employ unique physical information such as a fingerprint or iris scan, or use physical objects, which, in the United States, can be a FIPS 140-2 certified cryptographic key, hard token or card. Security is improved by leveraging public key infrastructure (PKI) using on-site or cloud-based validation services between all relying parties, elevating the trusted transaction which reduces or eliminates the opportunity for breach.

It has become increasingly important that facility and information security teams work together to fully understand today’s threats and how best to combat them. As they follow a similar path to that of most enterprises, healthcare institutions are adopting converged solutions to secure access to everything from the doors to computers, data, applications and cloud-based services.

This article originally appeared in the April 2016 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3