Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!

Best Security Systems Mean Better HealthCare

By Diane Ritchey
July 1, 2009
From the control room at Toledo Hospital and Toledo Children’s Hospital, operators can access any of the more than 160 video surveillance cameras installed in the new tower.


A healthcare facility or hospital is unlike any other organization. It’s generally open 24 hours a day, sevendays a week and is open to the public. There is expensive equipment in many areas, patient records and confidentiality that needs constant protection, parking and door access control needs and medicines that need to be kept safe. A hospital or healthcare facility can challenge any security professional and present unique security challenges. On top of that, security professional stress the need to balance keeping everything and everyone safe and secure, while being unobtrusive for hospital patients and visitors.
     
Bonnie S. Michelman, director of Police, Security and Outside Services at Massachusetts General Hospital, in Boston, added being unobtrusive is a daily goal. “Our standard practice is excellence everyday. We strive to have a secure environment without making it too scary [for patients and visitors]. You want it to look like Fort Knox but not feel like Fort Knox.”
     
Michelman has a multi-million integrated system in place that has grown over 15 years and is one of the most sophisticated systems in the country, she said. “It’s not just one system, but it’s a large integrated system that links many different systems to each other.” But she adds that it’s also flexible and large enough for expansion, if needed.
     
Bryan Warren, CHPA, CPO-I, and director, Carolinas HealthCare System Corporate Security, said that managing a hospital and healthcare facilities’ security system is “a unique challenge because of the need for balancing convenience with security while protecting clients and visitors whose thoughts are often on their loved ones and not on their own protection. This, coupled with the significant regulatory requirements and healthcare specific directives (such as the Centers for Medicaid and Medicare Services’ Conditions of Participation and the EMTALA rule), makes for a very complicated environment in which to provide security.”
     
Operating with smaller budgets is a concern as well, Warren said. “As is the case with practically every industry, we are trying to do more with less and be innovative in our approaches to problem solving. The days of simply throwing manpower and overtime at a security issue to solve it are gone, and we are now becoming more reliant on technology to solve some of these issues (such as a one time capital expense versus a recurring operational expense). That being said, the best CCTV or access control system in the world can’t grab the bad guy or comfort the victim of a crime,” he said. “Investment in technology is great, but an investment in your staff and their training is crucial for the security of any facility. Quality, not quantity is the new paradigm and we are relying more and more on our security force to be creative problem solvers.”
     
One solution at Carolinas HealthCare System in Warren is proud is the Public Safety Resource Office concept. “After the opening of a newly constructed Rehabilitation facility in a neighboring county, it was decided that there would be no on-site security, but that security would instruct the existing plant operations personnel in certain aspects of the security function, and these individuals would serve the security needs of the facility,” he said. Thus, a special training program was created to instruct “hybrid” personnel the basics of proper report writing and documenting of security-related incidents, patrol techniques, civil liability and constitutional law and a variety of other important topics.
     
To supplement these employees, an existing office space in the facility was converted into a Public Safety Resource office for local law enforcement use. “After crafting a Memorandum of Understanding and vetting this document through all appropriate legal channels with each agency that was to use this office space (two city police departments with adjacent jurisdictions to the facility and the local Sheriffs department) special customized identification cards were created for each agency that would allow their personnel access into this office area,” he said. “By encouraging local law enforcements to come on site by offering this area for their officers to do reports, make personal calls and use the computer, we effectively increased a preventative presence at no cost to our department or organization while strengthening our community relationships with our neighboring county and its police officers.”


HealthCare Regulations Challenges

Since the introduction of the Health Insurance Portability and Accountability Act (HIPAA) and the Joint Commission standards, healthcare organizations have invested money, time and energy into ensuring that healthcare data is safe and that standards are met and even succeeded.
     
Michelman said that “regulations affect everything that we do,” adding that her security system has been modified in terms of data center security and information security protocols in response to recent HIPAA regulations. “We look at it as a balance of state of the art technology that fits the risks, protocols and procedures with awareness and education program that harden our targets.”
     
Additional security system changes, she said, have included forcing every device that has patient health information to be password protected, engraving systems on devices, and low jack systems on some equipment. 
     
Warren said that, “In addition to the universal predicament of securing PHI (both in its physical and electronic forms) and meeting the new Joint Commission standards, one interesting issue that has arisen with HIPAA is that of interactions with law enforcement and the response to legitimate requests for information about patients.” He said that while there are sections of HIPAA that allow such sharing of information under very specific conditions, many clinicians have been educated that they cannot share PHI (Protected Health Information) under any circumstance, and such refusals can at times create a rift between the hospital and local police. “We have been working diligently on creating a process by which local police bring with them a recognized “request for information” form to our clinical staff, who would then be educated to contact hospital security for direction and assistance on any such information requests involving a client or patent,” he said. “By working with our corporate compliance, legal and risk management departments, the inception of this process will hopefully alleviate much of the misinformation about HIPAA and make for a smoother process for complying with such regulations.”


THE RENAISSANCE PROJECT

Another example of combining a high level of security without compromising patient care and making patients feel comfortable is the Toledo Hospital and Toledo Children’s Hospital in Toledo, Ohio. The facility’s “Renaissance Project” was a large construction project for ProMedica Health System, a northwest Ohio not-for-profit health care organization that operates the facilities. The hospitals’ 10-level, 500,000-square-foot facility has redefined what it means to provide a patient- and visitor-friendly environment. The facility also employs a digital video surveillance system from Panasonic System Solutions Company.
     
The new facility provides 289 private adult and pediatric patient rooms, and also houses clinical areas such as a surgical intensive care unit, adult intermediate care unit, newborn intensive care unit and general pediatrics and pediatric hematology/oncology, including the Debbie Brass Children’s Cancer Center.
     
When hospital personnel were planning the expansion in 2004, a new security system quickly became part of the plans. The hospital’s existing security command center near the north entrance had outgrown its location and outlasted its capabilities. The center would have to be enlarged, modernized and relocated near the north entrance to accommodate 160 video surveillance cameras that would provide security for the new addition. Camera locations, intercom stations and panic buttons were all planned to provide maximum security protection for the new building expansion. In addition, changes needed to be made to the control center to accommodate the new technology.
     
The plan was to have a camera covering every stairwell, every elevator alcove, and all entrance and exit points – plus three cameras in the new parking lot. Since the hospital’s Emergency Room is a hot spot, security personnel wanted to keep a close eye on the images from cameras covering that area.
     
Personnel at The Toledo Hospital and Toledo Children’s Hospital also wanted to be able to view all the cameras from the security control centers and also from remote sites, since the administrative offices are in a separate building. Using the new system, video can be obtained from any computer on the network by accessing the digital recorders using Panasonic’s management software. “I can do it all from my desk,” said Don Sullivan, Security Technical Specialist at The Toledo Hospital.
     
Hospital security personnel wanted to capture one or two images per second on every camera, operating 24 hours a day/seven days a week. “With all the cameras we have added and everything digital now, whatever happens throughout any of our monitored locations, we will likely have some video of it. The system also can protect us from a liability standpoint,” said Sullivan.


The U.S. HealthCare System's Overhaul

The Obama Administration has announced that it will modernize the nation’s healthcare system. Last month, President Obama told a group of members of the American Medical Association that “when it comes to the cost of our healthcare, the status quo is unsustainable.” The Administration said it plans to overhaul the system in terms of privacy, access, and identity. For example, healthcare IT is getting a $19 million funding from the American Recovery and Reinvestment Act
of 2009.
     
A recent event in Washington, DC by the Smart Card Alliance Healthcare and Identity Councils and the Secure ID Coalition highlighted the urgency of these efforts.  
     
“There is a risk we will focus too much on standards for electronic health records (EHRs) and ways to exchange them at the expense of sound privacy and identity models,” said Randy Vanderhoof, executive director of the Smart Card Alliance, a non-profit association that works to educate the adoption, usage, and application of smart card technology. “The critical issues are getting control over who has access to healthcare information, and correctly tying the right individual to his or her health records. That means identity management and access authentication security have to be baked-in from the start, not tacked on at the end.”
     
Correctly identifying patients and their records is difficult just within a single hospital, but gets far worse between multiple institutions, according to Paul Contino, vice president, Information Technology, at Mount Sinai Medical Center in New York. At the event, he cautioned that identity management must be addressed correctly up front or “we’re going to have problems with the linkages of electronic medical records” on a regional or even national basis. He said that Mount Sinai has revamped patient registration processes and implemented a smart card-based patient card to more accurately link individuals to their medical and administrative records.
     
Hospitals and other stakeholders also face significantly stronger privacy and security rules along with new financial penalties for violators, said Richard D. Marks, co-founder and president, Patient Command, Inc. Marks told event attendees that the healthcare “HITECH Act of 2009” provisions in the American Recovery and Reinvestment Act are a direct effort by the new Administration to extend and enforce HIPAA regulations that were largely ignored until now. He said that the new legislation has created health record data breach notification rules, fines for failure to protect personal health information and rights for complainants to share in civil monetary penalties levied on offenders. He also said that any civil and criminal penalties are not limited only to institutions, but also apply to negligent CEOs, CFOs, CIOs and board members.
     
Whether personal healthcare information is stored centrally or at the place it is created, its security is far more critical than even other types of personal information such as credit card accounts, said Michael Magrath, director, Healthcare and Government for Gemalto. Magrath said that if someone steals your credit card number and starts using it online, the bank will replace your financial losses and just give you a new card; however, there is no single issuer there to protect you in the case of healthcare information. “If my personal healthcare records are compromised there’s no recourse. It’s out there and it’s out there forever,” he said.


What is the Red Flags Rule?

The Red Flags Rule was developed pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under the Rule, which was announced late last year, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect and respond to patterns, practices, or specific activities that could indicate identity theft.
     
The Rule specifically applies to creditors and financial institutions, but healthcare organizations can be included as well. Federal law defines a creditor to be: any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not, in and of itself, make an entity a creditor. However, the rule says, where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors.
     
Under the Red Flags Rule, creditors must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.
     
John Christly, manager of Information Technology Security/MHS HIPAA Security Officer for the Memorial Healthcare System in Miramar, Fla, a public system that operates 41 facilities and five main hospitals, said that he thinks the Red Flags Rule will “do better than HIPAA.”
     
“It’s a good program to prevent and protect against ID theft,” Christly said. “It includes required elements that one must do if you suspect theft. We implemented an ID theft task force and a committee to enforce it, and now it’s our standard practice…it’s organization wide on how to protect and react to a suspected breach of sensitive information. It involves stronger checks on social security cards and licenses, which we were always doing, it just was not formalized. But now it is.”

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Diane 2016 200

Diane Ritchey was former Editor, Communications and Content for Security magazine beginning in 2009. She has an experienced background in publishing, public relations, content creation and management, internal and external communications. Within her role at Security, Ritchey organized and executed the annual Security 500 conference, researched and wrote exclusive cover stories, managed social media, and authored the monthly Security Talk column.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • The Security 500

    The Security 500: Beyond Best Practice to Best Fit

    See More
  • Cover feat

    2013 Security Leadership Issue: How to Become a Better Security and Business Leader

    See More
  • Security Branding

    2014 Security Leadership Issue: Building Security's Brand for Better Buy-in

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing