Hospitals Must Combat Threats to Both the Facility and Their Data


The modern healthcare facility must contend with a difficult combination of increasing crime, tightening regulations, and economic challenges as administrators and their security teams strive to protect people, property and sensitive data.   The International Association for Healthcare Security and Safety (IAHSS) reported in its 2012 Crime and Security Trends Survey that the number of healthcare crimes increased by nearly 37 percent in just two years, from just under 15,000 in 2012 to more than 20,500 in 2012.  And according to the Ponemon Institute, nine out of 10 hospitals in the U.S. have suffered a data breach or intrusion in their networks over the past two years.  Increasingly, hospital security and information technology (IT) departments must work together to design, implement and maintain robust security capabilities.

There are several best practices to consider.  First, access control systems should be based on an open architecture so they can support new capabilities over time, and they should use contactless high frequency smart card technology that features mutual authentication and cryptographic protection mechanisms with secret keys.  Cards should also employ a secure messaging protocol that is delivered on a trust-based communication platform within a secure ecosystem of interoperable products.   With these capabilities, hospitals can ensure the highest level of security, convenience, and interoperability, along with the adaptability to meet future requirements. 

One future requirement may be the ability to combine multiple applications onto a single card.   In addition to centralizing management, this eliminates the need for hospital employees to carry separate cards for opening doors, accessing computers, using time-and-attendance and secure-print-management systems, and making cashless vending purchases.  Other applications can include building automation, medical records management, and biometric templates that are stored on the card for additional factors of authentication. 

With a highly secure smart card foundation in place, hospitals are also well positioned to improve risk management and comply with new legislation or regulatory requirements.  As an example, the Health Insurance Portability and Accountability Act (HIPAA) imposes strict requirements for accessing medical records, which may necessitate the use of a smart card to enter secure areas or to access IT networks that store patient information. 

Visitors must also be considered.  Paper guest books should be replaced with registration systems that screen, badge and track every visitor and vendor.  These systems should support the HL7 interface control so administrators can match visitors to real-time information about patient admissions and discharges, Status Blue for pre-registering and approved vendors, and access control integration to provide temporary proximity card access to specific guests, such as contractors or temporary employees.  They also should support optional screening and watch lists of unwanted visitors.   Finally, they should enable the creation of long-term, durable visitor badges for family members who will be visiting a patient frequently over an extended period.

For logical access control, it’s important to move beyond simple, static passwords to strong authentication methods that ensure individuals accessing data are authorized to do so, and are who they claim to be.  Speed and convenience are important -- a hospital campus is essentially made up of multiple remote access areas, such as test rooms where a nurse may need to access digital x-ray results.  It would be difficult if staff had to use a strong authentication method that was complicated or required considerable time and/or typing in each area where they must access data.  Instead, they should be provided with contactless One Time Password (OTP) login solutions that enable them to easily “tap in” and tap out” for computer login and logout with strong authentication. 

Another important practice is device authentication, and the default model is to ensure that authenticated users within the hospital may only access their own or their patients’ health records from a known and properly registered device.  In the case of affiliated doctors who work with many hospitals, the best approach is to provide them with mobile soft tokens so they don’t have to carry multiple OTP tokens.  Affiliated doctors also should be required to authenticate their devices, both in the hospital and at home or the office.  New developments include device authentication technologies that recognize anomalies in users’ typical typing style and behavior.

Logical access control is also important for on-line patient identification and record access.  HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) act point the way, but it will be important that solutions be flexible enough to support new regulatory requirements over time.  We also should look to the consumer on-line banking model, where a layered approach has proven effective in ensuring that appropriate levels of risk mitigation can be applied.  Another key element that can be applied from on-line banking is to validate transactions as well as sessions.  Typically, users log onto a site and continue, uninterrupted.  With a layered model, a lower-level security check may suffice for users and doctors conversing about symptoms.  But if the user wishes to download sensitive documents, there may need to be multiple strong authentication security checks during the session.

Hospitals and their staff and patients face growing security threats.  Administrators need a combination of physical access control systems with integrated visitor management capabilities, and logical access control solutions that take a layered approach to risk mitigation while moving beyond passwords to implement strong authentication.