Healthcare security without the complexity

August 2014 Healthcare (Industry), Security Services & Risk Management

Hospitals face many security threats in an environment complicated by high traffic volumes, complex staffing requirements, and a demanding regulatory environment.

Meeting modern security challenges while complying with rules and regulations, such as the recent EU data breach regulations, the UK Data Protection Act (DPA) and other regulatory mandates requires best practices for both physical and IT security, using flexible and scalable access control systems that can combat today’s evolving security threats while supporting future improvements in security and convenience.

Nat Pisupati, regional sales director, Middle East and Africa with HID Global.
Nat Pisupati, regional sales director, Middle East and Africa with HID Global.

It is also important for healthcare institutions to maximise the ongoing value of their investment by ensuring that ID cards used for opening doors can also be used for other applications including time-and-attendance, cashless payment and logical access control to protect IT assets and enhance patient information privacy protection.

Improving physical access control

Hospital security challenges can be extremely complicated. Patients and visitors must feel welcomed and comfortable, yet safe and well protected. Hospitals also must support affiliated doctors who need to carry multiple badges for all the locations they visit. Over time, administrators may want to integrate access control with visitor management, or add video surveillance and other technologies.

This can be difficult to accomplish with legacy systems, which are vulnerable to security threats and can’t easily be upgraded to new features and capabilities. In contrast, the latest physical access control system (PACS) system architectures are based on dynamic technologies, making it significantly easier and less expensive to upgrade them. Benefits of these systems include:

• Improved security: The latest PACS solutions use contactless high frequency smart card technology with mutual authentication and cryptographic protection mechanisms and secret keys. The cards use a secure messaging protocol delivered on a trust-based communication platform within a secure ecosystem of interoperable products, enabling hospitals to achieve the highest level of security, convenience, interoperability and adaptability.

• Simplified system management: protocols like the industry-standard Open Supervised Device Protocol (OSDP) and companion Secure Channel Protocol (SCP) for reader communications replace legacy, unsecured Wiegand technology to provide bidirectional, multi-dropped communication. OSDP extends security from the card reader to the access controller, and reduces costs while improving reader monitoring and servicing by enabling users to re-configure, poll and query readers from a central system. OSDP will also usher in new reader capabilities, including the ability to display real-time evacuation information in the event of an emergency.

• Improved risk management: Today’s platforms enable hospitals to improve risk management and comply with new legislation or regulatory requirements. For example, the UK DPA imposes strict requirements for accessing personal information, such as medical records, which may necessitate the use of a smart card to enter secure areas or to access IT networks that store patient information.

• A path to networked access control: Many institutions are moving to IP-based PACS solutions that are easier to operate and simplify expansion and customisation while enabling integration with other solutions that can share the same network. These solutions move intelligence to the door, which streamlines system monitoring, management and reporting via standard Web browsers. With IP-based solutions, users also can invest in hardware platforms that are not tied to proprietary software, simplifying upgrades and enhancements.

• Ability to add wireless locksets: IP-based access control solutions facilitate deployment of wireless locksets that connect with the online access control system and provide near-online and near-real-time control of the opening. This reduces wiring costs, and alleviates problems with using mechanical keys that are hard to monitor and manage, are vulnerable to theft, and make it difficult to investigate incidents when they occur.

• More secure and simplified visitor management, integrated with the PACS: Today’s visitor management systems enable the screening, badging and tracking all visitors or, at a minimum, those visiting critical areas or during after-hours periods. Systems should support real-time patient feeds using Health Level 7 (HL7) integration, which ensures that no visitor is sent to the wrong location or to see a patient that is no longer checked in.

• Ability to add new capabilities: The latest PACS architectures provide the flexibility to support new applications such as infant protection systems, and biometrics in sensitive areas such as laboratories and research centres.

• Opportunities to do more with the card: Ideally, hospitals should be able to offer physicians, nurses and administrative staff a single card that provides access to, for instance, both the emergency room and the pharmacy, and also can be used for visual ID verification, time-and-attendance logging, payroll transactions, and purchases in the hospital cafeteria. This not only simplifies life for cardholders, but also centralises and streamlines management.

IT and health record security

Patient privacy protection is increasingly important. Health data is at least as valuable as financial data in the on-line banking industry, where a layered system approach is used to ensure that appropriate risk mitigation levels can be applied. Even though patients don’t access healthcare information as frequently as do on-line bankers, and aren’t protected by the same regulatory compliance requirements, they can benefit from the same multi-layered authentication mechanisms, both inside and outside the hospital. Healthcare organisations need a versatile authentication platform with real-time threat detection capabilities in order to effectively implement these five security layers:

• User authentication: Strong authentication ensures individuals accessing data are authorised, and who they claim to be. Speed and convenience are important – it would be difficult if hospital staff had to use a complicated, time-consuming strong authentication method in each area where they must access data. An emerging approach uses emerging Near Field Communications (NFC) technology, enabling users to carry a smart card or smartphone with an authentication credential stored on the device’s secure element (SE) or subscriber identification module (SIM) chip. With these mobile soft tokens, users can simply “tap in” to hospital facilities, VPNs, wireless networks, and cloud- and Web-based applications. Affiliated doctors who might previously have carried as many as 20 one-time password (OTP) tokens will now be able to carry single mobile soft tokens.

• Device authentication: The default model inside the hospital is to ensure that authenticated users within the hospital may only access their own – or their patients’ – health records from a known and properly registered device. Affiliated doctors also should be required to authenticate their devices. New developments include technologies that recognise anomalies in users’ typical typing style and behaviour.

• Transaction authentication with pattern-based intelligence: This, too, has been proven in on-line banking, for validating transactions as well as sessions. Typically, users log onto a site and continue, uninterrupted. With a layered model, a lower-level security check may suffice for users and doctors conversing about symptoms.

• Browser protection: The user’s browser must be part of a secure communication channel. Browser protection can be implemented through simple passive malware detection, but this does not result in the strongest possible endpoint security. It is more effective to use a proactive hardened browser with a mutual secure socket layer (SSL) connection to the application.

• Application security: It is also important to protect applications on mobile devices that are used to deliver sensitive information. The application must be architecturally hardened and capable of executing mutual authentication. Adding this layer makes data theft much more complex and costly for hackers.

Today’s solutions enable healthcare organisations to achieve a versatile PACS that protects everything from hospital doors and storage areas to the cloud and desktops. With proper planning, healthcare institutions will be able to preserve investments in today’s physical access control credential solution as they seamlessly add new capabilities in the future. The result is a fully interoperable, multi-layered and highly adaptable security solution that spans the organisation’s networks, systems and facilities, and has room to grow, evolve and improve over time.

For more information contact HID Global, +27 (0)82 449 9398, [email protected], www.hidglobal.com



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Background checks: risk levels and compliance
iFacts Access Control & Identity Management Security Services & Risk Management
Conducting background checks is a vital step in the hiring process for employers or when engaging service providers; however, it is crucial to understand the legal framework and regulations governing these checks.

Read more...
Insurance provider uses Net2 For access management
Paxton Access Control & Identity Management Integrated Solutions Healthcare (Industry)
BestMed selected Paxton Net2 for its access control requirements because of its simplicity of installation and ease of navigation for end users, as well as the 5-year warranty.

Read more...
Embracing contactless access solutions
HID Global Access Control & Identity Management
There has long been a discussion of the perils and virtues of authentication factors. Is it more secure to use something we have (a key card), something we know (a password), or something we are (biometrics)?

Read more...
Federated identity orchestration
Technews Publishing SMART Security Solutions Editor's Choice Access Control & Identity Management Security Services & Risk Management AI & Data Analytics
Understanding exactly who resides at the end of a digital device is key, and simple identity number verification by the Department of Home Affairs is no longer a viable solution on its own.

Read more...
Balancing security and ease-of-use
Technews Publishing SMART Security Solutions Access Control & Identity Management Security Services & Risk Management
Fraud incidents have financial repercussions and erode consumer trust, leading businesses to become more aware, though this awareness does not necessarily translate into confidence in their identity authentication processes.

Read more...
Identity and authentication
Technews Publishing SMART Security Solutions Access Control & Identity Management Information Security Security Services & Risk Management
Identity authentication is a crucial aspect of both physical security and cybersecurity. SMART Security Solutions obtained insights into the topic and the latest developments from three companies.

Read more...
Boost revenue streams for MNOS
News & Events Security Services & Risk Management Financial (Industry)
ReveNet has introduced its new solution, designed to safeguard and potentially boost revenue streams in an increasingly challenging landscape for MNOS. The new platform combines advanced analytics and is built on trust, transparency, and sustainability principles.

Read more...
NIS2 compliance amplifies skills shortages and resource strain
Information Security Security Services & Risk Management
A new Censuswide survey, commissioned by Veeam Software reveals the significant impact on businesses as they adapt to this key cybersecurity directive, with 95% of EMEA businesses siphoning other budgets to try and meet compliance deadline.

Read more...
SA company develops world-first safe K9 training for drug detection
Editor's Choice News & Events Security Services & Risk Management Government and Parastatal (Industry)
The Braveheart Bio-Dog Academy recently announced the results of its scientific research into training dogs to accurately detect drugs and explosives without harming either the dogs or their handlers.

Read more...
Understanding South Africa’s Cybercrimes Act
Information Security Security Services & Risk Management
The Cybercrimes Act No.19 of 2020 is a comprehensive legislative response to the evolving landscape of cyberthreats in South Africa. Its effectiveness, however, relies on enforcement, which relies on implementation, international cooperation, and collaboration between the public and private sectors.

Read more...