printer friendly version

Addressing risks in the healthcare sector

The healthcare sector poses unique challenges and risks. Hospitals, for example, need to have a more-or-less ‘open door’ policy when it comes to people entering the premises and the main reception area. On the other hand, they have to safeguard their patients and limit visitor access to certain times, as well as keep unauthorised people out of areas where pharmaceuticals, expensive clinical equipment, and sensitive patient records are kept.

Mitigation of risk is where modern security and life safety technologies come in, but ZKTeco’s Luki Janse van Rensburg poses the question: how many of these devices are of benefit to the whole industry, including the patients that are admitted to the various hospitals?

“There are various challenges that employees in the health sector must face. Growth of decentralised facilities, standardising security products, cost containment across all physical security systems, employees and patients having a higher expectation of security, and protecting the privacy of patients and their records are just some of those challenges. Consequently much needs to be improved.”

He points out that security needs have also grown with regards to protecting patients’ safety. Finding new ways to balance operating costs, patient expectations and cost-effective security solutions, is feasible with a phased plan for technology migration to IP-centric solutions. “Different health sectors have various needs; these may depend on the high reliability and availability of security systems, having more cost-effective security for smaller facilities, a higher level of validated access control in critical areas, and lower operating costs for security.

“One needs to take into consideration all these factors and look for ways that technology systems can improve the various facilities that need customised solutions. With confidential data and potentially dangerous drugs and medical equipment, it can be more of a challenge for the healthcare sector to keep their premises safe than in other industries,” Janse van Rensburg states.

Therefore, he says it is essential for healthcare facilities to search the market, as certain companies have products that enable healthcare facilities to have access control systems, time and attendance devices, etc. that help to ensure only authorised personnel have access to restricted areas of the building. They need to look for companies that can assist them in selecting a system that works with the layout of their premises.

Biometrics to the rescue

Making use of biometrics within a hospital or pharmacy will ensure that security systems are more accurate and safer, says Janse van Rensburg: “Imagine having to deal with very private information and having to allow only a few people access to this information; having a biometric device installed at that restricted part of the hospital or pharmacy will ensure that management knows exactly who has been in that area, when and how long they have been there. Having a biometric time and attendance system can make it easier for hospitals to be able to record the comings and goings of doctors, nurses and staff.”

Thus, such processes will enable the department heads to monitor employees better. One might argue that because biometric machines usually require a fingerprint or thumbprint, or some other unique information needed to identify a person, this can lead to a serious risk of identity theft, but Janse van Rensburg asserts that faking or obtaining fingerprints is virtually impossible, and that one cannot obtain fingerprints from a biometric reader’s storage memory or database on a computer, because these details are encrypted by an advanced algorithm which is virtually impossible to crack.

Any healthcare facility can install a biometric device, it just depends on the level of security required by the hospital or pharmacy. “Biometrics have grown to a point where it is affordable to add biometric-based security to your facility, with no

lack in quality or technology,” he states. “Any healthcare facility is the perfect environment for biometrics, and it would be advised that every hospital, clinic, pharmacy and so on does the transition to this technology and level of security.”

The crucial involvement of upper management

As with any other type of business, hospitals are under budgetary constraints and need to be able to establish a strong security posture without overspending. Two companies that work closely together – Connectivity Dynamics (CONDYN) and Secnovate – are jointly of the view that

the fundamental building block is the involvement and commitment of the organisation’s executive or board in setting acceptable levels of risk or risk appetite of the organisation and acceptable residual risk that is defined in terms of the assets to be protected. In addition, the executive/board should provide guidance on all security policies, standards, procedures and business processes required to ensure proper risk management.

In the lifecycle of risk management, each identified risk should be assessed in regard to its mitigation strategy and business impact analysis to ascertain whether residual risk was within the parameters determined by the board. A security framework should be established to assist the executive in overseeing this process as this would be the main means by which the executive/board retains connection with the overall security posture of the organisation and is able to provide the necessary executive direction required to oversee the organisation’s risk and security management process.

CONDYN and Secnovate recommend that a multi-level security programme, with assigned actions and responsibilities across the different layers of management, staff, business processes and technologies, will assist with responding to each of the security lifecycle phases of:

• Risk identification, in accordance with ISO/IEC 27005, including a review of the technical and business process architectures for risks and vulnerabilities, vulnerability scanning of the internal systems, external vulnerability scanning and penetration testing, and access control and physical security control review.

Typical examples relevant to hospitals/clinics include the protection of patient and other confidential information (especially in the context of the PoPI Act and its obligations), the management of internal fraud, external cyberattacks on assets, etc.

• Prevention, including security policies, mitigation controls to deal with identified risks, guided by ISO/IEC 27002 or other appropriate standards, event collection and monitoring, etc.

Since human error is associated with the majority (over 90%) of security breaches, the immediate priorities could include providing staff with basic cyber-awareness training, thereby enabling them to become proactive first-line cyber-defenders.

The most common approaches include the protection and management (hardware and software) of endpoints and servers, and the monitoring of information transfer such as through USB drives, printers and others.

• Detection – subject to the implementation of the event collection and monitoring and the establishment of a monitoring team, event correlation and incident detection can be implemented.

• Response and remediation, including elements such as a disaster recovery and business continuity plan, incident response protocols, etc.

Harnessing and integrating technologies

The major problem with having many separate solutions is that a breach (such as data being leaked or shared, or someone accessing the system illegally) may not be discovered until it is too late, CONDYN and Secnovate concur. In addition, the gathering of investigative reports may also be compromised as these may only be accessed through different solutions – resulting in costly delays.

The most effective remedy is to deploy a single, integrated real-time solution that monitors all areas all the time, and that sends alerts out when any risks are detected. Such integrated solutions are available on the market, the companies point out.

There are a variety of information gathering solutions and management platforms available which are capable of addressing physical security within and outside healthcare facilities, and provide valuable information on activity such as visitor movement. These capabilities include video cameras with and without facial recognition, and licence plate recognition – supported in many cases with intelligent software.

There are many solutions available which enable the automation of entry and exit control and the provision of alerts should any unauthorised person attempt to gain access to a facility. These solutions are based on facial recognition and video analytics, and have proven track records in a host of applications.

CONDYN’s fraud and risk management solution can provide healthcare facilities with a range of benefits, including the detection of insider fraud, and assist these facilities with compliance to PoPI Act obligations. The system is capable of detecting abnormal internal behaviour across a wide range of communication and system channels.

The solution protects a company from insiders leaking sensitive data by checking inbound/outbound traffic for compliance with security policies, controlling the creation, movement, change of confidential documents on local workstations as well as shared locations, and simplifies the work of the information security department.

The system has powerful analysis of text, audio, video, graphics, and an embedded User Entity Behaviour Analytics (UEBA) component. Software capabilities include:

• Identification of weak spots that could be detrimental to the company. The solution searches for spots where a breach can occur and puts out a potential threat alert before an incident happens, thereby promoting a corporate security culture.

• Information flow and employee activity monitoring. The system controls all the data transfer channels, examines the information stored and moved within the company’s network, captures all the processes and employee activities, and analyses their behaviour.

• Corporate data analysis. Powerful analytics, various search options, automated graphics and audio analysis allow one assigned specialist to monitor thousands of staff members.

• Incident assessment. The system puts out alerts on policy violations and irregular employee activities, helping with investigation of incidents and improvement to security policies to minimise risks.

• Risk management. The software provides a comprehensive approach to internal monitoring. The system facilitates risk management, tracks events as soon as they occur, and runs investigations to prevent them in the future.

• Risk prevention. The system visualises all the events and connections within the company by issuing reports – relational graphs enable the user to detect irregular activities, analyse possible threats, and prevent incidents.

For more information contact:

• CONDYN, +27 12 683 8816, [email protected], www.condyn.net

• Secnovate, +27 83 252 5727, [email protected], www.secnovate.com

• ZKTeco, +27 12 259 1047, www.secnovate.com, www.zkteco.co.za

Share this article:

Further reading: