Mitigating Security Threats to Hospital Facilities and Data

sstromberg's picture

The modern healthcare facility faces increasing crime and economic challenges in protecting people, property and sensitive data.   There are a number of best practices to consider.  

The first step is to ensure access control systems are based on an open architecture and can therefore support new capabilities over time.  It is also important to use contactless high frequency smart card technology that features mutual authentication and cryptographic protection mechanisms with secret keys, and use a secure messaging protocol delivered on a trust-based communication platform within a secure ecosystem of interoperable products.   With this foundation, hospitals can combine adaptability with the highest level of security, convenience, and interoperability.

Adaptability is particularly important.  Down the road, a hospital may want to combine multiple applications onto a single card.   This improves efficiencies by centralizing management, and eliminates the need for hospital employees to carry separate cards for various applications, from opening doors, accessing computers, and making cashless vending purchases to using time-and-attendance and secure-print-management systems.   

It is also critical to consider managing the identities of hospital visitors.  Paper guest books aren’t sufficient.  They should be replaced with registration systems that are capable of screening, badging and tracking all visitors, or at a minimum, critical areas such as pediatric wards and “after hours” when staff is reduced. Visitor management systems should support the HL7 interface control so visitors can be matched to a variety of key real-time information.  Additionally, these visitor management capabilities should be integrated into the access control system, to simplify the issuance of temporary card access to specific guests, such as contractors or temporary employees.  The system also should support optional screening and watch lists of unwanted visitors, and enable hospitals to create long-term, durable visitor badges for family members who will be visiting a patient frequently over an extended period. 

Device authentication should also be a key practice.  The default model is to ensure that authenticated users within the hospital may only access their own or their patients’ health records from a known and properly registered device.  For affiliated doctors, the best approach here is mobile soft tokens that replace multiple One-Time-Password (OTP) tokens, and the requirement that these individuals authenticate their devices, inside and outside the hospital.  The security of on-line patient identification and record access is equally important, and solutions must be flexible enough to support new regulatory requirements over time.  On-line banking strategies provide a roadmap, especially a layered approach that has proven effective in ensuring appropriate levels of risk mitigation can be applied. 

Hospitals, their staff and patients face challenging and evolving security threats.  Protecting hospitals from these threats requires physical access control systems with integrated visitor management capabilities, plus logical access control solutions that take a layered approach to risk mitigation while moving beyond passwords to implement strong authentication.