Diversify Lesson from Healthcare Security
January 1, 2007
There’s the traditional parking and door access control needs, of course. There are also the emotion-driven “people threats” at emergency rooms, in waiting rooms and areas where there are newborns or wandering patients, for example. Expensive equipment, often on wheels, can get lost in a facility or stolen. And medicines and controlled substances need protecting and auditing. Data security gets kicked up a notch thanks to privacy and accreditation requirements. Then there are the typical and unique fire and life safety concerns.
The business of healthcare security is complex, intense and continuous.
Just ask Tony Potter, director of public safety at Forsyth Medical Center in Winston-Salem, N.C. He manages protection at this 847-bed not-for-profit regional medical center that’s coupled with the nearby 136-bed Medical Park Hospital, making the complex one of the largest, best-equipped hospital facilities in the state.
INTEGRATION PLATFORMPotter upgraded access controls for badging about two years ago but realized that the business was not even scratching the surface of the GE Security Secure Perfect system capabilities, such as using it as an integration platform for other systems. “Being a hospital, integration must be done incrementally,” added Potter.
When Potter started with Forsyth in mid-2003, he had 35 cameras but has since expanded to 140 with space to increase to 300 in a plan that extends to 2008. As with many healthcare facilities, Forsyth expands and security is being designed into new facilities, which increases effectiveness and reduces cost. “A retrofit is twice the cost and less effective. Security used to be an afterthought. Now all infrastructure is in architect’s drawings, contractor installs,” said Potter.
For Chuck Christian of Indiana-based Good Samaritan Hospital, his greatest business challenge this year is to “provide secure access to the clinical information, while verifying the identity of the individual accessing the information without making it overly difficult or complex.”
Good Samaritan is a values-driven regional hospital that provides quality care in a patient-centered atmosphere to communities of Knox and surrounding counties.
Christian’s strategies are complex. “You need to be aware and educated on what is considered prudent practices, understand the business of healthcare, while focused on the importance of the information that has been entrusted to your care.”
Concerning important security technologies to serve his mission, Christian believes that intrusion detection and prevention are always at the top of the list. This means “expanding upon our single sign-on (SSO) platform (from Imprivata) to include additional layers and methods of authentications, with the potential of integrating physical building access and security into the process. We continue to work to mitigate the risk of expanding remote access to clinical systems.”
BEST SECURITY = BEST HEALTHCARE“Our goal is to provide the best healthcare possible to our patients, so if our employees are frustrated because they have too many passwords to remember or they cannot access patient information in an efficient manner, that hurts everyone,” said Christopher Paidhrin, IS security and HIPAA compliance officer for Washington State’s Southwest Washington Medical Center (SWMC) in Vancouver, Wash. Paidhrin serves his organization and community as an expert, advocate and leader in the IT security and HIPAA compliance domains.
Among his greatest security challenges this year, he sees workforce awareness of IT threats as one. “All of the security technology available does not prevent some people from inappropriate behavior that directly, or indirectly, compromises IT security. External threats can be risk-managed and mitigated. It is the inattentiveness to best practices by the workforce that presents the real and present danger of abuse or neglect. In response I must provide ongoing awareness training, and monitoring for compliance, to reduce the vulnerabilities.”
Another challenge: integration of IT security audit logs, alerts, change control and related event-based reporting. “There are a number of secure information and event management solutions available; but finding, funding and deploying the right match for our environment will be a real challenge.”
There’s also wireless access by physicians and the public. Said Paidhrin, “Although we will segment and isolate public and physician wireless access to our organization, access control -- and all of the logging, auditing and management that entails -- remains a serious challenge.”
Among Paidhrin’s sage advice: “If an organization does not already have an enterprise-wide single sign-on solution, then start here. If you don’t have spam, malware and network anti-virus solutions in place, get them…The solutions to each of these will provide quick return on investment; some in as little as a few months.”
IN CASE OF EMERGENCYShould a fire occur, employee training, suppression technologies, first responder tactics and mutual aid infrastructures provide layers of defense-in-depth response as an incident grows in size and magnitude. At the very first of many levels of defense, after prevention, is the proven and time-tested portable fire extinguisher. Portable fire extinguishers offer speed, portability and rapid knockdown of electrical fires that cannot be matched by most other equipment. Their proper selection, maintenance and training are essential in a successful use of these important fire-fighting tools as part of a defense-in-depth program.
Once the proper equipment has been chosen, it must be maintained properly in order to be effective. NFPA 10 requires inspections of extinguishers at 30-day intervals. These inspections are a “quick check” of the unit to assure reasonable confidence in its operation. NFPA 10, 2002 Edition has detailed information on how and what to check on the extinguisher during a 30-day inspection. NFPA 10 also requires an annual maintenance to be performed on every extinguisher. According to NFPA, annual maintenance is a thorough examination of the unit and should be performed only by trained persons who have the proper manuals, tools and materials.
If the facility is currently performing in house annual maintenance by full-time employees, security, life safety and facility managers may want to re-evaluate their approach. Employees trained, equipped and solely dedicated to this function can be effective, however, if this is not the case, the maintenance program will be inadequate. It may be more advantageous to contract this work out to fire equipment distributors who have trained professional technicians, the appropriate parts, manuals and supplies to do the job properly.
It is imperative that maintenance be performed in accordance with NFPA 10, local codes and the manufacturer’s maintenance manual. Some manufacturers offer warranties, which is a smart supplemental purchase.
TRAINING NECESSARY FOR FIRE PROTECTIONFire extinguisher training is necessary for effective, safe extinguisher use and is required by OSHA. Live fire training exercises, still considered the most effective method for training employees on using extinguishers, are becoming increasingly difficult to perform. Stricter air quality standards and employee scheduling make conducting live fire training exercises on site nearly impossible.
Some fire extinguisher manufacturers still offer live fire training at off-site facilities on a limited basis and there are many industrial fire schools throughout the country. In addition, fire equipment distributors will often offer specialized or customized extinguisher training that is tailored to a facility’s particular needs and schedule.