Finding the Right Prescription for Secure Healthcare Access Control
Healthcare and hospital security and safety professionals have numerous safety and security challenges.
High emotions. Expensive equipment. Controlled medications. Workplace violence. Wandering patients. Parking garage vandalism. Infant abductions. Privacy concerns. Managing emergencies. Shrinking budgets. Homeland security issues. Checking on visitors.
Healthcare and hospital security and safety professionals have it all.
But wait a minute. Just in the last months, a growing number of hospitals have been hit with ransomware, in which outsiders take over a network, encrypt data and then ask for a ransom to decrypt. At least one hospital in the last month has paid up to get its data back.
In addition, there are chemical hazmat situations and active shooter drills, adds Bill Hapner of integrator G4S Secure Solutions. Hapner has long-time experience in healthcare security.
All these threats and risks must be mitigated in facilities and with staff that has an inherent welcoming, caring attitude.
It’s a challenging assignment day and night, according to Dan Yaross, chairman of the ASIS International Healthcare Security Council. Most all hospitals must have an “open and friendly environment.” At the same time, “there is more emotions involved and stress. Many of our facilities have a host of behavior concerns, too,” says Yaross.
Networking in Healthcare
The ASIS Healthcare Security Council brings together professionals to share their problems and solutions and best practices. “They are good people who unselfishly volunteer their time. It is very rewarding to be a member of the council,” Yaross says. Members meet at least six times a year by conference call and in person at the association’s annual seminar and exhibition. The council chairman is director of security at Nationwide Children’s Hospital, one of America’s largest pediatric healthcare and research centers delivering care for more than one million patient visits each year.
While technology is an important hospital security tool, Yaross points out that at many facilities, payroll is the largest part of the budget. His payroll, for instance, is over 80 percent of his budget. “There is more expected of security officers from how to best deescalate a situation to technical expertise,” he points out. “There also is the need for customer service, interpersonal skills and a ‘how can I help you’ attitude. Everyone and everything in the surrounding community comes into the hospital doors.”
On the technology side, healthcare security “has come a long way,” Yaross says, “with a lot of different products and systems aimed at security and safety.” When it comes to access control, hospital security executive see standardizing on smartcards and proximity readers when upgrading or in new construction. “Cameras are constantly improving,” he says. Of particular interest are the newer 360-degree cameras. “You can cut down the number of cameras and have better clarity of the pictures.”
Concerning infant and children protection in hospitals, It can be an integrated, tight package with pre-notification and video tied in as well, says David Alessandrini, vice president of integrator Pasek Corporation.
Yaross sees hospitals also upgrading from somewhat informal visitor stick-on badges or paper cards to fully functional visitor management systems. The Nationwide Children’s Hospital Security Director uses EasyLobby. Some systems can create a photo ID card, provide reentry from the database and search law enforcement databases such as those that identify sexual predators.
There is also a natural fit between emergency management and security systems. “The aim is to stop situations before they escalate. Seconds count,” says Yaross, who sees value in virtual patrols.
New to many facilities are global tracking system-based radio frequency identification (GPS RFID) and real-time tracking and locating systems (RTLS). Such solutions can range from nurse tracking to restocking throughout the supply chain. There is handshaking with other systems, too. One example: patient engagement platforms covering practice management, revenue cycle management, patient engagement and workflow of electronic healthcare records (EHR).
A very big ticket item, such software is gaining hospital users. For example, some of the nation’s largest and prestigious hospitals and healthcare systems use Epic’s EHR system, including Oakland, California-based Kaiser Permanente, Cleveland Clinic, Johns Hopkins Medicine in Baltimore, UCLA Health in Los Angeles, Massachusetts General Hospital in Boston, Mount Sinai Health System in New York City and Duke University Health System in Raleigh, North Carolina.
Impact on New Construction, Renovations
As compared to other industries, healthcare has robust new construction and renovation, some spurred by mergers and acquisitions that can include inheriting someone else’s legacy systems. Yaross says it is best to get in soon for new construction. “And set security standards so there is no need to debate over every door. Healthcare is really a collaborative effort. So security must work with other internal stakeholders.”
Hospital parking lots and garages have unique security needs. Dan Birbeck, lieutenant for the Dallas County Hospital District Police Department, oversees Dallas-based Parkland Hospital as one of the liaisons for the Parkland Hospital replacement team that’s designing Parkland’s new hospital’s access gates, mass notification system and security features.
Parkland recently added a two-million square foot hospital replacement, the largest replacement in the country. “Our access card readers are integrated with the mass notification units and camera systems. Once the access card reader is activated, in addition to the emergency phones, we verify the user’s information on our camera system. If everything checks out, then the system or our dispatch center grants access to the individual. We have several different locations where we use the access card readers. We have them in various parts of our hospital, parking structures and open lots. If there is a malfunction with one of the gates, a user can activate the emergency phone and be connected directly to our dispatch center to send out assistance,” says Birbeck. His operation integrates that emergency system with access control.
“We also have the WEBS Contact software and towers to meet mass notification needs. The software lets us broadcast a message inside and outside our facilities. This allows us to contact everyone at the same time, or contact separate areas of the campus individually,” says Jones.
There are regulations, rules, accreditations and certifications that uniquely cover hospitals and also demand security involvement. The Joint Commission, for instance, is a United States-based organization that accredits more than 21,000 healthcare organizations and programs in the United States.
Standards and Mandates
Hospitals go to great lengths every three years to pass mandatory Joint Commission inspections. Several items that directly impact security vendors include: Making sure that all firewalls are sealed, that security cameras meet installation codes, and affirming that high risk areas are protected properly, per the elements of performance in the audit. This is an area that calls for a true partnership between the facility stakeholders and technology and service providers, in that all parties are aware and accountable relative to the regulations, comments G4S's Hapner, who has served as director of security for Hospital Corporation of America.
Relative to the C-suite, Turney points out patrons’ opinions and survey results can make a difference with the security budget. “It can tie to funding, and that’s a value for the C-suite folks,” he says.
There also is the Health Insurance Portability and Accountability Act (HIPAA), which mandates that certain businesses in the healthcare industry better protect data and patient information. Higher level of access control and surveillance of records are two requirements. It can get fairly detailed. At times, even security video must be positioned to meet HIPAA requirements. The Health Information Technology for Economic and Clinical Health (HITECH) Act, which came later, expands requirements into associate businesses, often corporations that maintain health records of their employees.
While often off-the-shelf, technology can also be special to individual locations. One critical area is the main entrance. Froedtert & the Medical College of Wisconsin health network, a regional healthcare organization with locations throughout Wisconsin, employs an entrance configuration that combines an exterior automatic sliding door with an interior two or three-wing revolving door. The entrance solution serves as a vestibule for several entrances at two of the health network’s medical facilities. The design came from Automatic Entrances of Wisconsin.
Unique Revolving Door Access Solution
In the past, the concept of a large diameter automatic revolving door was foreign to most medical facilities. A major objection being they anticipated people simply couldn’t get used to it, observes Jay Walt, vice president at AEW. It made so much sense to replace typical sliding door vestibules with a system that keeps out the weather, dirt and dust and helps keep hospital entrance areas clean, secure and attractive.
He adds that one initial objection to a revolving door was that it was perceived as not user-friendly. People approaching from the walkways on either side of the entrance would need to turn left or right and plan an angle of attack. However, by putting the sliding door out front, people entering the facility are now funneled into a new vestibule area, ergonomically aligned with the revolving door. It was an energy saver, as well.
Richard Boor, director plant operations, estimates that the main Froedtert academic medical campus alone accommodates 750,000-800,000 visitors during the year. “We’ve achieved a more comfortable climate in both hot and cold seasons, our lobbies are cleaner and more inviting, and we’re saving on energy costs. The doors also give us special security features such as automatic lock-down,” comments Neil Jensen, project manager, facility planning and development for Froedtert. And for safety, for egress, there is a secondary swing door near the entrance with panic hardware, concludes Walt.
Beyond the hospital door, more than ever, security and safety systems have advanced and integrated. There are unique sensitivities that must be addressed, according to Jim Stankevich of Tyco Security Products. In addition to typical hospital locations, there are the labor and delivery areas, surgery, intensive care, the emergency unit, wandering patient concerns and, for some, units that handle patients with special behavior needs.
When it comes to linking systems and devices, a system can link dozens of alarm devices such as panic buttons, police call systems and remote alarming to a variety of audible or visual warning outputs. Such a solution provides duress and instant alert notification systems to healthcare facilities to protect patients, visitors and employees. One key to better access control is to limit outside entrances. Some hospitals have double digit entrances, a total which should be reduced.
It’s pure extortion. It’s attacking and making data in hospital computer networks unusable until a ransom – in Bitcoins – is paid. Some have paid up; most have not. Incidents are growing with most attacks coming from outside but a recent one indicates an inside job.
What is known by those in hospital security and safety is that such occurrences make very sensitive patient information unreachable and vulnerable. Even more perilous, in some cases it can make networked medical devices inoperable. That’s a life and death threat.
Like any malware or virus strike, there seems to always be a shrewd name for the dangerous software. In this case, you can pin the problems on Locky and, more recently, on Samsam, also known as Samas and MSIL. Locky and others encrypt files, documents and images and rename them with the extension .locky.
Recent incidents include Henderson, Kentucky-based Methodist Hospital, which was forced to place a scrolling red alert on its homepage this week, stating that “Methodist Hospital is currently working in an internal state of emergency due to a computer virus that has limited our use of electronic Web-based services.” And, also recently, Hollywood Presbyterian Medical Center in Los Angeles was hit by a cyberattack that crippled its operations and put patients’ lives at risk in a ransomware breach. Hollywood Presbyterian Hospital’s central medical records system was largely unusable for 10 days, and some patients had to be transported to other hospitals. The attackers demanded $3.6 million to restore its computer systems and networks. It allegedly paid $17,000 to get access to files back.
And Baltimore’s Union Memorial Hospital has also had a malware attack. In this case, the attackers offered a “deal:” 45 bitcoins (about $18,500) for the keys to unlock all the affected systems.
Suddenly there is a “gateway to medical devices,” which puts lives at risk, says Steve King, chief operating officer at Netswitch Technology Management.
King has four things not to do:
- Never wait to acknowledge a breach.
- Never downplay a breach.
- Never suggest an attack was “random;” hospital executives know their cybersecurity defenses are weak or non-existent.
- Never pay the ransom.
King adds that healthcare facilities need to improve their cyber-defenses right now. And he feels that internal security and IT departments should reach out to outside experts who are more focused on specific threats that always evolve. The bad guys are often three or four steps ahead. But is there a conflict for the chief information security officer to report to the chief information officer? King suggests that we are heading in the direction that CISOs will report higher up beyond IT.
Mary Siero, an experienced CIO in healthcare, agrees that companies need to be better prepared for ransomware, which is increasing at an alarming rate. “Organizations should not assume that the breach is minor without an in-depth assessment and should also not assume that sensitive data has not been breached until they have their assessment,” says Siero. “Hopefully the organization has considered the seriousness of these and other breaches and developed an incident response plan in advance of breaches.”
Christopher Ensey, chief operating officer, Dunbar Security Solutions, says, “It’s no longer enough to just have anti-virus protection. Hospitals need to refresh their choices and bring in new solutions. Nowadays, it is the classic cat and mouse game.” Ensey points out that the most common way Locky gets itself on machines is via a spam email with an attached document. So it is a matter of training and retraining all staff.
ANSI Grade 1 institutional life safety locksets address managed liability, accident prevention, life safety and security in behavioral healthcare institutions. The technology has cylindrical, mortise styles, electrified units, ideal for buzz-in and man-trap applications, plus antimicrobial finishes.
For busy hospital locations, there are push/pull paddlesets with a cylindrical chassis (not tubular) for maximum durability and long life span.
There is also a need for hands-free switches in hospital settings. The technology showcases active infrared devices using micro burst sensor technology, designed for use in ADA-compliant automatic door and UL-compliant access control applications. Such switches eliminate the spread of germs by avoiding physical contact and offer building occupants greater convenience when moving through the premises.
IP-enabled solutions for security control room and command center display applications integrate multiple disparate systems (one example comes from RGB Spectrum). Concerning multiviewers and video wall display processors, custom software solutions exist to bridge disparate security systems and provide a unified system of control. A more useful solution enables security operators to leverage existing assets while integrating new systems as security needs evolve. This requires an architecture that can accommodate change, one based on a common denominator between legacy and new systems. That common denominator exists – it is video, says Bob Ehlers of RGB Spectrum. A video-centric approach integrates disparate systems over baseband video or IP (LAN/WAN), presents operators with a common user interface and offers shared control using keyboard-video-mouse technology. A video-centric control room system architecture can offer a number of benefits, including a growth strategy that can leverage existing systems while allowing for new systems to be brought online and integrated more easily. The benefits of a modern video-centric system are significant.
Stuff happens. Especially in healthcare facilities. And those tasked with security and safety responsibilities know they must learn from incidents, often also reporting relative to compliance.
Pullman Regional Hospital in Pullman, Washington, and RGP Healthcare of San Francisco are implementing a state-of-the-art incident management and patient safety system. The technology is a peer review solution designed to help hospitals, clinics and senior living communities manage adverse events and other compliance-related functions across the enterprise. Pullman is a full-service medical center that offers a range of advanced medical services to the Palouse region, a vast geographic area spanning southeastern Washington and northern Idaho.
The incident management system captures incident data and provides required reports to multiple patient security and safety organizations and state agencies on-demand or via a set scheduling process that includes quarterly and annual report capabilities. Healthcare organizations can customize workflow, data collection,
analysis and reporting to meet specific needs without the need for complex data transformations or double data-entry.
Anew study demonstrates security flaws to be pervasive within the healthcare industry. The research found that adversaries could deploy cyberattacks that result in physical harm to patients, according to Independent Security Evaluators (ISE) of Baltimore, Maryland. All hospitals investigated had very serious security issues, suggesting broader implications across the entire industry. “No doubt, there is focus on protecting patient records,” says Ted Harrington, executive partner with ISE. “But there are real threats in physically harming patients. And, I believe, the industry is ill-prepared to effectively deal with them. There are business shortcomings.”
Remote adversaries can deploy attacks that target and compromise patient health and insider threats are there, too, according to Harrington. With significant integration [of systems], there is more need for trusted access. Connectivity introduces more advisories, he says.