Hospitals Must Combat Threats to Both the Facility and Their Data

Hospitals Must Combat Threats to Both the Facility and Their Data

Hospitals Must Combat Threats to Both the Facility and Their DataThe International Association for Healthcare Security and Safety (IAHSS) reported in its 2012 Crime and Security Trends Survey that the number of healthcare crimes increased by nearly 37 percent in just two years, from just under 15,000 in 2010 to more than 20,500 in 2012. And, according to the Ponemon Institute, nine out of 10 hospitals in the U.S. have suffered a data breach or intrusion in their networks over the past two years. Increasingly, hospital security and information technology (IT) departments must work together to design, implement and maintain robust security capabilities.

Best practices

There are several best practices to consider. First, access control systems should be based on an open architecture, so they can support new capabilities over time. They should use contactless, high-frequency, smart card technology that features mutual authentication and cryptographic protection mechanisms with secret keys. Cards should also employ a secure messaging protocol that is delivered on a trust-based, communication platform within a secure ecosystem of interoperable products.

Another important practice is device authentication with new developments including technologies that recognize anomalies in users’ typical typing style and behavior. The default model for hospitals is to ensure that authenticated users within the hospital may only access their own or their patients’ health records from a known and properly-registered device.

In the case of affiliated doctors, who work with many hospitals, the best approach is to provide them with mobile soft tokens, so they don’t have to carry multiple OTP tokens. Affiliated doctors also should be required to authenticate their devices, both in the hospital and at home or the office.

With these capabilities, hospitals can ensure the highest level of security, convenience, and interoperability, along with the adaptability to meet future requirements.

Future requirements

One future requirement may be the ability to combine multiple applications onto a single card. In addition to centralizing management, this eliminates the need for hospital employees to carry separate cards for opening doors, accessing computers, using time-and-attendance and secure-print-management systems, and making cashless vending purchases. Other applications can include building automation, medical records management, and biometric templates that are stored on the card for additional factors of authentication.

With a highly-secure, smart card foundation in place, hospitals are well positioned to improve risk management and comply with new legislation or regulatory requirements. As an example, the Health Insurance Portability and Accountability Act (HIPAA) imposes strict requirements for accessing medical records, which may necessitate the use of a smart card to enter secure areas or to access IT networks that store patient information.

Hospital visitors

Visitors must also be considered. Paper guest books should be replaced with registration systems that screen, badge and track every visitor and vendor. These systems should support the HL7 interface control, so administrators can match visitors to real-time information about patient admissions and discharges, Status Blue for pre-registering and approved vendors, and access control integration to provide temporary proximity card access to specific guests, such as contractors or temporary employees. They should also support optional screening and watch lists of unwanted visitors. Finally, they should enable the creation of long-term, durable visitor badges for family members who will be visiting a patient frequently over an extended period.

Logical access control

For logical access control, it’s important to move beyond simple, static passwords to strong authentication methods that ensure individuals accessing data are authorized to do so, and are who they claim to be.

Speed and convenience are important -- a hospital campus is essentially made up of multiple remote access areas, such as test rooms where a nurse may need to access digital x-ray results. It would be difficult if staff had to use a strong authentication method that was complicated or required considerable time and/or typing in each area where they must access data. Instead, they should be provided with contactless One Time Password (OTP) login solutions that enable them to easily “tap in and tap out” for computer login and logout with strong authentication.

Logical access control is also important for on-line patient identification and record access. HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) act point the way, but it will be important that solutions be flexible enough to support new regulatory requirements over time.

On-line banking as a model

Hospitals Must Combat Threats to Both the Facility and Their DataWe should look to the consumer, on-line banking model, where a layered approach has proven effective in ensuring that appropriate levels of risk mitigation can be applied. Another key element that can be applied from on-line banking is to validate transactions as well as sessions. Typically, users log onto a site and continue, uninterrupted. With a layered model, a lower-level security check may suffice for users and doctors conversing about symptoms. But, if the user wishes to download sensitive documents, there may need to be multiple, strong, authentication security checks during the session.

Hospitals, their staff and patients face growing security threats. Administrators need a combination of physical access control systems, with integrated visitor management capabilities, and logical access control solutions that take a layered approach to risk mitigation, moving beyond passwords to implement strong authentication.

About the Author

Julian Lovelock is the vice president of product marketing, identity assurance with HID Global.

Featured

  • Live From ISC West 2023: Day 1

    ISC West 2023 in Las Vegas, Nevada, has officially begun! Make sure to keep an eye on Security Today’s ISCW Live 2023 page, as well as our associated Twitter accounts—@SecurToday and @CampusSecur—for the latest updates from the show floor at the Venetian Expo. Read Now

    • Industry Events
    • ISC West
  • It Happened Again

    Just yesterday (as of this writing), it happened again. A 28-year-old woman shot her way into a Christian elementary school in Nashville, Tenn., on Monday and killed three children and three adults, according to national news. AP News reports that the victims were three 9-year-old children, a top school administrator, a substitute teacher, and a school custodian Read Now

  • Let's Get to Work

    You are standing at the conference center doors just waiting to get into the exhibit hall. I know you are because I’m standing next to you. This week at ISC West has been three years in the making. Last year was encouraging, and here we are waiting for the Big Show. Read Now

    • Industry Events
    • ISC West
  • Using Modern Technology

    Using Modern Technology

    Workplace violence is a serious and growing challenge for many organizations — including those in the healthcare industry. Read Now

Featured Cybersecurity

New Products

  • Videoloft Cloud Video Surveillance VSaaS Solution

    Videoloft Cloud Video Surveillance VSaaS Solution

    Videoloft focuses on transforming traditional professional surveillance systems into cloud connected solutions via the Videoloft Cloud Adapter. 3

  • Camden Door Controls ‘SER” Surface Boxes and Extension Rings

    Camden Door Controls ‘SER” Surface Boxes and Extension Rings

    Camden Door Controls has introduced new ‘SER” surface boxes and extension rings that provide a complete solution for new construction. In addition, they provide a simple and robust solution when replacing round wired and manual push plate switches with either Camden’s wired or wireless SureWave™ no-touch switches or Kinetic™ no-battery wireless switches. 3

  • Camden Door Controls Application Spec Guide

    Camden Door Controls Application Spec Guide

    Camden Door Controls, an industry-leading provider of innovative, high quality door activation and locking products, has published a new application spec guide for specification writers designing a wireless barrier-free restroom control system. 3