Addressing risks in the healthcare sector

August 2019 Healthcare (Industry), Security Services & Risk Management

The healthcare sector poses unique challenges and risks. Hospitals, for example, need to have a more-or-less ‘open door’ policy when it comes to people entering the premises and the main reception area. On the other hand, they have to safeguard their patients and limit visitor access to certain times, as well as keep unauthorised people out of areas where pharmaceuticals, expensive clinical equipment, and sensitive patient records are kept.

Mitigation of risk is where modern security and life safety technologies come in, but ZKTeco’s Luki Janse van Rensburg poses the question: how many of these devices are of benefit to the whole industry, including the patients that are admitted to the various hospitals?

“There are various challenges that employees in the health sector must face. Growth of decentralised facilities, standardising security products, cost containment across all physical security systems, employees and patients having a higher expectation of security, and protecting the privacy of patients and their records are just some of those challenges. Consequently much needs to be improved.”

He points out that security needs have also grown with regards to protecting patients’ safety. Finding new ways to balance operating costs, patient expectations and cost-effective security solutions, is feasible with a phased plan for technology migration to IP-centric solutions. “Different health sectors have various needs; these may depend on the high reliability and availability of security systems, having more cost-effective security for smaller facilities, a higher level of validated access control in critical areas, and lower operating costs for security.

“One needs to take into consideration all these factors and look for ways that technology systems can improve the various facilities that need customised solutions. With confidential data and potentially dangerous drugs and medical equipment, it can be more of a challenge for the healthcare sector to keep their premises safe than in other industries,” Janse van Rensburg states.

Therefore, he says it is essential for healthcare facilities to search the market, as certain companies have products that enable healthcare facilities to have access control systems, time and attendance devices, etc. that help to ensure only authorised personnel have access to restricted areas of the building. They need to look for companies that can assist them in selecting a system that works with the layout of their premises.

Biometrics to the rescue

Making use of biometrics within a hospital or pharmacy will ensure that security systems are more accurate and safer, says Janse van Rensburg: “Imagine having to deal with very private information and having to allow only a few people access to this information; having a biometric device installed at that restricted part of the hospital or pharmacy will ensure that management knows exactly who has been in that area, when and how long they have been there. Having a biometric time and attendance system can make it easier for hospitals to be able to record the comings and goings of doctors, nurses and staff.”

Thus, such processes will enable the department heads to monitor employees better. One might argue that because biometric machines usually require a fingerprint or thumbprint, or some other unique information needed to identify a person, this can lead to a serious risk of identity theft, but Janse van Rensburg asserts that faking or obtaining fingerprints is virtually impossible, and that one cannot obtain fingerprints from a biometric reader’s storage memory or database on a computer, because these details are encrypted by an advanced algorithm which is virtually impossible to crack.

Any healthcare facility can install a biometric device, it just depends on the level of security required by the hospital or pharmacy. “Biometrics have grown to a point where it is affordable to add biometric-based security to your facility, with no

lack in quality or technology,” he states. “Any healthcare facility is the perfect environment for biometrics, and it would be advised that every hospital, clinic, pharmacy and so on does the transition to this technology and level of security.”

The crucial involvement of upper management

As with any other type of business, hospitals are under budgetary constraints and need to be able to establish a strong security posture without overspending. Two companies that work closely together – Connectivity Dynamics (CONDYN) and Secnovate – are jointly of the view that

the fundamental building block is the involvement and commitment of the organisation’s executive or board in setting acceptable levels of risk or risk appetite of the organisation and acceptable residual risk that is defined in terms of the assets to be protected. In addition, the executive/board should provide guidance on all security policies, standards, procedures and business processes required to ensure proper risk management.

In the lifecycle of risk management, each identified risk should be assessed in regard to its mitigation strategy and business impact analysis to ascertain whether residual risk was within the parameters determined by the board. A security framework should be established to assist the executive in overseeing this process as this would be the main means by which the executive/board retains connection with the overall security posture of the organisation and is able to provide the necessary executive direction required to oversee the organisation’s risk and security management process.

CONDYN and Secnovate recommend that a multi-level security programme, with assigned actions and responsibilities across the different layers of management, staff, business processes and technologies, will assist with responding to each of the security lifecycle phases of:

• Risk identification, in accordance with ISO/IEC 27005, including a review of the technical and business process architectures for risks and vulnerabilities, vulnerability scanning of the internal systems, external vulnerability scanning and penetration testing, and access control and physical security control review.

Typical examples relevant to hospitals/clinics include the protection of patient and other confidential information (especially in the context of the PoPI Act and its obligations), the management of internal fraud, external cyberattacks on assets, etc.

• Prevention, including security policies, mitigation controls to deal with identified risks, guided by ISO/IEC 27002 or other appropriate standards, event collection and monitoring, etc.

Since human error is associated with the majority (over 90%) of security breaches, the immediate priorities could include providing staff with basic cyber-awareness training, thereby enabling them to become proactive first-line cyber-defenders.

The most common approaches include the protection and management (hardware and software) of endpoints and servers, and the monitoring of information transfer such as through USB drives, printers and others.

• Detection – subject to the implementation of the event collection and monitoring and the establishment of a monitoring team, event correlation and incident detection can be implemented.

• Response and remediation, including elements such as a disaster recovery and business continuity plan, incident response protocols, etc.

Harnessing and integrating technologies

The major problem with having many separate solutions is that a breach (such as data being leaked or shared, or someone accessing the system illegally) may not be discovered until it is too late, CONDYN and Secnovate concur. In addition, the gathering of investigative reports may also be compromised as these may only be accessed through different solutions – resulting in costly delays.

The most effective remedy is to deploy a single, integrated real-time solution that monitors all areas all the time, and that sends alerts out when any risks are detected. Such integrated solutions are available on the market, the companies point out.

There are a variety of information gathering solutions and management platforms available which are capable of addressing physical security within and outside healthcare facilities, and provide valuable information on activity such as visitor movement. These capabilities include video cameras with and without facial recognition, and licence plate recognition – supported in many cases with intelligent software.

There are many solutions available which enable the automation of entry and exit control and the provision of alerts should any unauthorised person attempt to gain access to a facility. These solutions are based on facial recognition and video analytics, and have proven track records in a host of applications.

CONDYN’s fraud and risk management solution can provide healthcare facilities with a range of benefits, including the detection of insider fraud, and assist these facilities with compliance to PoPI Act obligations. The system is capable of detecting abnormal internal behaviour across a wide range of communication and system channels.

The solution protects a company from insiders leaking sensitive data by checking inbound/outbound traffic for compliance with security policies, controlling the creation, movement, change of confidential documents on local workstations as well as shared locations, and simplifies the work of the information security department.

The system has powerful analysis of text, audio, video, graphics, and an embedded User Entity Behaviour Analytics (UEBA) component. Software capabilities include:

• Identification of weak spots that could be detrimental to the company. The solution searches for spots where a breach can occur and puts out a potential threat alert before an incident happens, thereby promoting a corporate security culture.

• Information flow and employee activity monitoring. The system controls all the data transfer channels, examines the information stored and moved within the company’s network, captures all the processes and employee activities, and analyses their behaviour.

• Corporate data analysis. Powerful analytics, various search options, automated graphics and audio analysis allow one assigned specialist to monitor thousands of staff members.

• Incident assessment. The system puts out alerts on policy violations and irregular employee activities, helping with investigation of incidents and improvement to security policies to minimise risks.

• Risk management. The software provides a comprehensive approach to internal monitoring. The system facilitates risk management, tracks events as soon as they occur, and runs investigations to prevent them in the future.

• Risk prevention. The system visualises all the events and connections within the company by issuing reports – relational graphs enable the user to detect irregular activities, analyse possible threats, and prevent incidents.

For more information contact:

• CONDYN, +27 12 683 8816, [email protected],

• Secnovate, +27 83 252 5727, [email protected],

• ZKTeco, +27 12 259 1047,,


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

From the editor's desk: AI and events
Technews Publishing News & Events
      Welcome to the 2024 edition of the SMART Surveillance Handbook. Reading through this issue will demonstrate that AI has undoubtedly made its mark on the surveillance industry. Like ‘traditional’ video ...

The TCO of cloud surveillance
DeepAlert Verifier Technews Publishing Surveillance Infrastructure
SMART Security Solutions asked two successful, home-grown cloud surveillance operators for their take on the benefits of cloud surveillance to the local market. Does cloud do everything, or are there areas where onsite solutions are preferable?

Surveillance on the edge
Axis Communications SA Guardian Eye Technews Publishing Surveillance
Edge processing, a practical solution that has been available for some time, has proven its utility in various scenarios, tailored to the unique requirements of each user.

AI developments in surveillance
DeepAlert Secutel Technologies Technews Publishing Surveillance
When AI-powered video analytics first emerged in the surveillance market, it was heralded as a game-changer, promising near-magical object recognition and identification. As always, it was oversold, but times have changed and we are close to seeing the ‘magic’ at work.

Putting cyber into surveillance
Dallmeier Electronic Southern Africa Cathexis Technologies Technews Publishing Editor's Choice
Cybersecurity has become an essential part of the physical security industry. However, unlike other IoT technologies, of which security products are a part, surveillance technologies have more to protect.

Digital transformation in mines
NEC XON Technews Publishing Mining (Industry)
Digital transformation has been hyped to death, but is a reality all companies in all industries need to address, including the mining sector. BCX and NEC XON weigh in on the challenges mines face.

Fire safety in mining
Technews Publishing Mining (Industry)
Clinton Hodgson, Head of the Industrial Fire & Life Safety Division at FS Systems International, provides SMART Security Solutions with his insights into fire safety risks and solutions as they pertain to the mining industry.

Cybersecurity in mining
Technews Publishing Mining (Industry)
One does not usually associate mining with cybersecurity, but as big technology users (including some legacy technology that was not designed for cyber risks), mines are at risk from cyber threats in several areas.

Deception technology crucial to unmasking data theft
Information Security Security Services & Risk Management
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Proactive strategies against payment fraud
Financial (Industry) Security Services & Risk Management
Amid a spate of high-profile payment fraud cases in South Africa, the need for robust fraud payment prevention measures has never been more apparent, says Ryan Mer, CEO of eftsure Africa.