Addressing risks in the healthcare sector

August 2019 Healthcare (Industry), Security Services & Risk Management

The healthcare sector poses unique challenges and risks. Hospitals, for example, need to have a more-or-less ‘open door’ policy when it comes to people entering the premises and the main reception area. On the other hand, they have to safeguard their patients and limit visitor access to certain times, as well as keep unauthorised people out of areas where pharmaceuticals, expensive clinical equipment, and sensitive patient records are kept.

Mitigation of risk is where modern security and life safety technologies come in, but ZKTeco’s Luki Janse van Rensburg poses the question: how many of these devices are of benefit to the whole industry, including the patients that are admitted to the various hospitals?

“There are various challenges that employees in the health sector must face. Growth of decentralised facilities, standardising security products, cost containment across all physical security systems, employees and patients having a higher expectation of security, and protecting the privacy of patients and their records are just some of those challenges. Consequently much needs to be improved.”

He points out that security needs have also grown with regards to protecting patients’ safety. Finding new ways to balance operating costs, patient expectations and cost-effective security solutions, is feasible with a phased plan for technology migration to IP-centric solutions. “Different health sectors have various needs; these may depend on the high reliability and availability of security systems, having more cost-effective security for smaller facilities, a higher level of validated access control in critical areas, and lower operating costs for security.

“One needs to take into consideration all these factors and look for ways that technology systems can improve the various facilities that need customised solutions. With confidential data and potentially dangerous drugs and medical equipment, it can be more of a challenge for the healthcare sector to keep their premises safe than in other industries,” Janse van Rensburg states.

Therefore, he says it is essential for healthcare facilities to search the market, as certain companies have products that enable healthcare facilities to have access control systems, time and attendance devices, etc. that help to ensure only authorised personnel have access to restricted areas of the building. They need to look for companies that can assist them in selecting a system that works with the layout of their premises.

Biometrics to the rescue

Making use of biometrics within a hospital or pharmacy will ensure that security systems are more accurate and safer, says Janse van Rensburg: “Imagine having to deal with very private information and having to allow only a few people access to this information; having a biometric device installed at that restricted part of the hospital or pharmacy will ensure that management knows exactly who has been in that area, when and how long they have been there. Having a biometric time and attendance system can make it easier for hospitals to be able to record the comings and goings of doctors, nurses and staff.”

Thus, such processes will enable the department heads to monitor employees better. One might argue that because biometric machines usually require a fingerprint or thumbprint, or some other unique information needed to identify a person, this can lead to a serious risk of identity theft, but Janse van Rensburg asserts that faking or obtaining fingerprints is virtually impossible, and that one cannot obtain fingerprints from a biometric reader’s storage memory or database on a computer, because these details are encrypted by an advanced algorithm which is virtually impossible to crack.

Any healthcare facility can install a biometric device, it just depends on the level of security required by the hospital or pharmacy. “Biometrics have grown to a point where it is affordable to add biometric-based security to your facility, with no

lack in quality or technology,” he states. “Any healthcare facility is the perfect environment for biometrics, and it would be advised that every hospital, clinic, pharmacy and so on does the transition to this technology and level of security.”

The crucial involvement of upper management

As with any other type of business, hospitals are under budgetary constraints and need to be able to establish a strong security posture without overspending. Two companies that work closely together – Connectivity Dynamics (CONDYN) and Secnovate – are jointly of the view that

the fundamental building block is the involvement and commitment of the organisation’s executive or board in setting acceptable levels of risk or risk appetite of the organisation and acceptable residual risk that is defined in terms of the assets to be protected. In addition, the executive/board should provide guidance on all security policies, standards, procedures and business processes required to ensure proper risk management.

In the lifecycle of risk management, each identified risk should be assessed in regard to its mitigation strategy and business impact analysis to ascertain whether residual risk was within the parameters determined by the board. A security framework should be established to assist the executive in overseeing this process as this would be the main means by which the executive/board retains connection with the overall security posture of the organisation and is able to provide the necessary executive direction required to oversee the organisation’s risk and security management process.

CONDYN and Secnovate recommend that a multi-level security programme, with assigned actions and responsibilities across the different layers of management, staff, business processes and technologies, will assist with responding to each of the security lifecycle phases of:

• Risk identification, in accordance with ISO/IEC 27005, including a review of the technical and business process architectures for risks and vulnerabilities, vulnerability scanning of the internal systems, external vulnerability scanning and penetration testing, and access control and physical security control review.

Typical examples relevant to hospitals/clinics include the protection of patient and other confidential information (especially in the context of the PoPI Act and its obligations), the management of internal fraud, external cyberattacks on assets, etc.

• Prevention, including security policies, mitigation controls to deal with identified risks, guided by ISO/IEC 27002 or other appropriate standards, event collection and monitoring, etc.

Since human error is associated with the majority (over 90%) of security breaches, the immediate priorities could include providing staff with basic cyber-awareness training, thereby enabling them to become proactive first-line cyber-defenders.

The most common approaches include the protection and management (hardware and software) of endpoints and servers, and the monitoring of information transfer such as through USB drives, printers and others.

• Detection – subject to the implementation of the event collection and monitoring and the establishment of a monitoring team, event correlation and incident detection can be implemented.

• Response and remediation, including elements such as a disaster recovery and business continuity plan, incident response protocols, etc.

Harnessing and integrating technologies

The major problem with having many separate solutions is that a breach (such as data being leaked or shared, or someone accessing the system illegally) may not be discovered until it is too late, CONDYN and Secnovate concur. In addition, the gathering of investigative reports may also be compromised as these may only be accessed through different solutions – resulting in costly delays.

The most effective remedy is to deploy a single, integrated real-time solution that monitors all areas all the time, and that sends alerts out when any risks are detected. Such integrated solutions are available on the market, the companies point out.

There are a variety of information gathering solutions and management platforms available which are capable of addressing physical security within and outside healthcare facilities, and provide valuable information on activity such as visitor movement. These capabilities include video cameras with and without facial recognition, and licence plate recognition – supported in many cases with intelligent software.

There are many solutions available which enable the automation of entry and exit control and the provision of alerts should any unauthorised person attempt to gain access to a facility. These solutions are based on facial recognition and video analytics, and have proven track records in a host of applications.

CONDYN’s fraud and risk management solution can provide healthcare facilities with a range of benefits, including the detection of insider fraud, and assist these facilities with compliance to PoPI Act obligations. The system is capable of detecting abnormal internal behaviour across a wide range of communication and system channels.

The solution protects a company from insiders leaking sensitive data by checking inbound/outbound traffic for compliance with security policies, controlling the creation, movement, change of confidential documents on local workstations as well as shared locations, and simplifies the work of the information security department.

The system has powerful analysis of text, audio, video, graphics, and an embedded User Entity Behaviour Analytics (UEBA) component. Software capabilities include:

• Identification of weak spots that could be detrimental to the company. The solution searches for spots where a breach can occur and puts out a potential threat alert before an incident happens, thereby promoting a corporate security culture.

• Information flow and employee activity monitoring. The system controls all the data transfer channels, examines the information stored and moved within the company’s network, captures all the processes and employee activities, and analyses their behaviour.

• Corporate data analysis. Powerful analytics, various search options, automated graphics and audio analysis allow one assigned specialist to monitor thousands of staff members.

• Incident assessment. The system puts out alerts on policy violations and irregular employee activities, helping with investigation of incidents and improvement to security policies to minimise risks.

• Risk management. The software provides a comprehensive approach to internal monitoring. The system facilitates risk management, tracks events as soon as they occur, and runs investigations to prevent them in the future.

• Risk prevention. The system visualises all the events and connections within the company by issuing reports – relational graphs enable the user to detect irregular activities, analyse possible threats, and prevent incidents.

For more information contact:

• CONDYN, +27 12 683 8816, [email protected], www.condyn.net

• Secnovate, +27 83 252 5727, [email protected], www.secnovate.com

• ZKTeco, +27 12 259 1047, www.secnovate.com, www.zkteco.co.za



Credit(s)






Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Amendments to the Private Security Industry Regulations
Technews Publishing Agriculture (Industry) News & Events Associations
SANSEA, SASA, National Security Forum, CEO, TAPSOSA, and LASA oppose recently published Amendments to the Private Security Industry Regulations regarding firearms.

Read more...
Local is a lekker challenge
Secutel Technologies Technews Publishing AI & Data Analytics
There are a number of companies focused on producing solutions locally, primarily in the software arena, but we still have hardware producers churning out products, many doing business locally and internationally.

Read more...
A passport to offline backups
SMART Security Solutions Technews Publishing Editor's Choice Infrastructure Smart Home Automation
SMART Security Solutions tested a 6 TB WD My Passport and found it is much more than simply another portable hard drive when considering the free security software the company includes with the device.

Read more...
Rewriting the rules of reputation
Technews Publishing Editor's Choice Security Services & Risk Management
Public Relations is more crucial than ever in the generative AI and LLMs age. AI-driven search engines no longer just scan social media or reviews, they prioritise authoritative, editorial content.

Read more...
How can South African organisations fast-track their AI initiatives?
AI & Data Analytics Security Services & Risk Management
While the AI market in South Africa is anticipated to grow by nearly 30% annually over the next five years, tapping into the promise and potential of AI is not easy.

Read more...
Efficient, future-proof estate security and management
Technews Publishing ElementC Solutions Duxbury Networking Fang Fences & Guards Secutel Technologies OneSpace Technologies DeepAlert SMART Security Solutions Editor's Choice Information Security Security Services & Risk Management Residential Estate (Industry) AI & Data Analytics IoT & Automation
In February this year, SMART Security Solutions travelled to Cape Town to experience the unbelievable experience of a city where potholes are fixed, and traffic lights work; and to host the Cape Town SMART Estate Security Conference 2025.

Read more...
From the editor's desk: What’s a trillion between friends?
Technews Publishing News & Events
Back in the bad old days of 2015, some (who didn’t want to take the blame for coming up with that number) estimated the amount of money lost to corruption by the South African government to be around ...

Read more...
Stallion repositions itself as a services provider
News & Events Security Services & Risk Management
Stallion has rebranded as Stallion Integrated Solutions to reflect its expanded capabilities beyond traditional security services to delivering integrated solutions that enhance safety, asset management, and operational efficiency.

Read more...
Seven tips to help ensure your backup batteries work
Power Management Security Services & Risk Management
Load shedding is back, officially or not. Lance Dickerson offers seven tips to prolong the life of your power backup systems and ensure they perform as intended when needed.

Read more...
Cybersecurity best practice
Information Security Security Services & Risk Management
Breach and attack simulation has become an essential element of cybersecurity strategies in any modern business by allowing companies to actively detect and resolve vulnerabilities through real-world attack simulations.

Read more...