Aligning Healthcare Information Security and Safety

March 22, 2017
Hospitals strive to deliver a more satisfying patient experience while still achieving both physical and data security goals

As today’s healthcare providers contend with the combination of tightening regulations, decreasing reimbursement and other economic challenges, they also must ensure data security while protecting the physical security of their facilities. These dual security concerns involve different departments with different roles and responsibilities; both groups are critically important to ensuring the reputation of an institution, the safety of its physicians, staff, and patients, and the security of visitor access that is so important to patient-centered care.

Meanwhile, challenges are becoming more complex in today’s more connected hospitals in the Internet of Things (IoT).  To address these challenges, administrators are adopting new ways of thinking about trust in smart environments, and evolving how they use trusted identities across the healthcare continuum with both mobile devices and the latest smart card technologies.  This shift in the use of trusted identities is transforming how institutions operate, how they manage access to patients, data and equipment, how they protect patient privacy, and how they improve billing accuracy without compromising the quality of care. From hospital to home, healthcare organizations are seeking to employ a combination of strong authentication and new IoT applications to address their challenges. As they do, they have the opportunity to simplify all aspects of healthcare operations, from opening hospital doors, accessing healthcare records and e-prescribing to how healthcare professionals interact with patients and log their activities.

Investing in Hospital and Healthcare Security

There is a revolution underway in healthcare that is spurring active investment in the security infrastructure, both for continuous renovations of existing buildings and to protect new buildings as well. With this investment, administrators are also embracing new ways to create, manage and use trusted identities while moving toward powerful new cloud service models. 

They also are increasingly adopting a seamless identity management experience using a combination of multifactor authentication and automated visitor management systems in the hospital, along with secure proof-of-presence solutions for documenting and verifying healthcare delivery in the home.  As they move in this direction, they are driving several key developments that are helping to anchor today’s connected health revolution.  Some of these developments include the adoption of integrated identity and access management systems, increased demand for streamlined and compliant Electronic prescription of Controlled Substances (EPCS) solutions, the move to smart hospitals that are connected to the IoT, and the growing role of biometrics. Each of these trends is having a major impact on care delivery and the hospital experience.

Integrated Systems: Compliant, Convenient, Comprehensive and Connected

Healthcare institutions are increasingly moving to integrated systems that enable multi-factor authentication to span the entire identity and access management lifecycle.  They also incorporate One Time Password (OTP) tokens, Public Key Infrastructure (PKI) encryption and biometrics to comply with the DEA and HIPAA for Electronic Prescription of Controlled Substances (EPCS).  Users prove their identity and authorization status by simply tapping an ID badge to generate and transmit an OTP that enables them to access thousands of supported cloud applications.

The same solutions will also be used to protect patient records and data, implement secure access to facilities, authenticate remotely to VPNs using mobile devices and facilitate new IoT use cases.  Visitor management will move to a web-based, policy-driven physical identity and access management approach that addresses the specific standards, processes, and challenges healthcare institutions face in managing the visitor identity lifecycle while delivering security and compliance in an open environment. Key considerations include supporting real-time patient feeds using Health Level 7 (HL7) integration so the system has all patient status and room information, and Status Blue integration so administrators can pre-register approved vendors and temporary employees.

Unified platforms will tie everything together and automate other manual workflows to provide an end-to-end physical identity and access management solution that integrates with access control systems, logical identity, and other internal applications so healthcare organizations can manage all types of physical identities and their details.   Additionally, the use of cloud technologies will transform credential issuance for physical ID cards, and enable badge printing and encoding using managed service models, Healthcare institutions will also explore new opportunities to use trusted identities for applications like emergency mustering when it is critical to know who is in the facility.

E-Prescribing’s Impact:  New Architectural Options and Authentication Choices

EPCS will play a particularly important role in driving access control decisions. Healthcare organizations will employ a multi-layered security strategy for complying with e-prescribing privacy protection requirements. This includes using software applications that conform to regulatory standards, and employing identity proofing and credentialing for two-factor authentication, which can rely on unique physical information such as a fingerprint or iris scan.

Many organizations will meet compliance requirements utilizing physical objects such as a FIPS 140-2 certified cryptographic key, hard token or card. PKI encryption using on-site or cloud-based validation services between all relying parties will need to meet an identity level of assurance for the cross certification needed for the application. The use of PKI digital certificates in healthcare will continue to grow quickly. The encrypted certificates ensure individuals, systems or applications are who they claim to be. Certificates are also available with different assurance levels and can be validated/checked for authenticity in real time.

The overriding EPCS objective will be to optimize the physician experience when writing, monitoring and tracking on-line schedule II-V narcotic prescriptions, in full regulatory compliance, from any location.  Patients will also have a better experience since prescriptions and refills can be sent ahead for fulfillment, usually with same-day expediency -- a savings of at least two to three days as compared to waiting for earlier paper-based prescriptions. 

Hospitals will explore leveraging their e-prescribing architectures for other valuable capabilities such as secure, remote access using credentials, key fobs, mobile smartphones plus other smart devices and OTP tokens. Digital certificates will increasingly be used for authentication to networks or applications, digital signatures will be used for on-line transactions, and users also will be able to digitally sign or encrypt documents and email. PKI security elevates these trusted transactions, which reduces or eliminates the opportunity for breach.

The PKI infrastructure will also facilitate the concept of Federated ID systems for an urban medical community, enabling an identity to be trusted and used throughout disparate facilities. With healthcare providers sharing multiple resources, the community benefits when they agree to create a single, central identity policy within which each provider organization maintains some autonomy. A Federated ID System leverages identity-proofed trust that is maintained and used in a shared community. No longer must shared-physician resources carry multiple badges.

Connected Healthcare:  New Requirements to Ensure the Internet of Trusted Things (IoTT)

Healthcare institutions and their affiliated departments will embrace trusted identities, Bluetooth Low Energy (BLE) technology, predictive analytics and emerging IoT solutions that use real-time and proximity-based location technologies so they can more effectively connect, monitor and manage patients, mobile clinicians, and staff.  The same solutions will also provide a simplified IoT platform for managing physical assets, and help organizations to quickly locate critical medical equipment, beds, crash carts and other medical devices by providing the missing link between these assets and a trusted ecosystem. 

Continued adoption of electronic visit verification (EVV) will also leverage trusted identities, helping to streamline in-home patient visits and eliminate billing fraud using “proof of presence” applications that make it easier to document the time, location and accurate delivery of the care that is prescribed.  Solutions that combine trusted RFID tags, mobile apps, and web applications will add trust to these proof-of-presence applications.   

Biometrics:  Growing Role in Patient and Provider Authentication and EPCS applications

Biometrics will increase trust levels in the healthcare environment by better associating a user’s identity with his or her digital IDs.  It will be used to ensure that the patient receiving care is the person entitled to those benefits and that providers are authorized to view and update confidential patient medical records.  Biometrics will also be used in EPCS applications to authenticate the issuer, pharmacy staff and/or the recipient.

The fingerprint modality will continue to be one of the most widely used thanks to its ease of use, superior performance in the demanding healthcare environment, and its interoperability, low cost, and ability to thwart imposters. Multispectral imaging with liveness detection will be an increasingly important capability, ensuring unique fingerprint characteristics can be extracted from both the surface and subsurface of the skin to prevent fraudulent use of fake or stolen biometric data while protecting the user’s identity. 

Biometrics sensors and modules will also deliver improved capabilities including faster finger image capture for a better user experience and reliable matching across all demographic groups in diverse operating conditions, as well as certifications to key industry standards for accuracy and image transfer performance.

Getting Started

The first step toward aligning healthcare information security and safety is to make sure that facility security and IT security teams are working together to understand and follow best practices for both physical and logical access control.  This can be particularly challenging since so many of today’s healthcare institutions undergo mergers and acquisitions that introduce demanding badging and identity management requirements. The two departments should also collaborate closely on all aspects of designing, implementing and maintaining robust security capabilities, and ensure emergency preparedness for natural disasters.

In the physical access control arena, institutions must keep pace with security threats through the use of an open and expandable infrastructure that supports ongoing improvements. Meanwhile, as information security and physical security needs converge, hospitals must also carefully examine how to maximize their investments, ensuring that users don’t simply open doors with their ID cards, but also use them for applications ranging from cashless payment to accessing IT resources, all with a single, convenient and cost-effective solution.

Physical access control system (PACS) solutions that are based on dynamic technologies will be adaptable to changing hospital needs and the latest best practices as security threats evolve. Today’s PACS solutions support many access control applications on the same smart card. For instance, they enable physicians, nurses, researchers and administrative staff to carry a single card that provides access to the parking lot, main door, emergency room and pharmacy, and can also be used for visual ID verification, time-and- attendance, payroll transactions, tapping in and out of computer applications and cafeteria purchases. Storing biometrics on the smart card can deliver strong, multi-factor authentication in laboratories, research centers, and other sensitive areas.

Many institutions also want a path to IP-based PACS solutions as an alternative to expand, customize and integrate PACS with other security solutions that can share the same network. Networked access control can streamline infrastructure enhancements and modifications. It also facilitates adding wireless locksets that connect with the online access control system, reducing wiring costs and eliminating the problems of easy-to-lose keys -- while providing near-online and near-real-time control of the opening. IP-based solutions also provide a single, integrated system for combining security, access control, video surveillance and incident response, perimeter detection and alarm monitoring systems. Hospitals can invest in a single, unified IP network, and logically control multiple technologies that previously co-existed only on a physical level. Plus, they can leverage their existing credential investment to seamlessly add logical access control for network log-on, and achieve a fully interoperable, multi-layered security solution across company networks, systems and facilities.

There is also the opportunity to integrate a hospital’s access control systems into a Physical Identity and Access Management (PIAM) software solution that provides the common bridge between disparate physical and IT security systems.  This delivers a variety of convenient, unified access control capabilities along with a more comprehensive view of otherwise disparate physical access control and visitor management systems, while also providing predictive risk analytics capabilities.  It also creates a streamlined user experience while extending strong authentication throughout the healthcare enterprise, from the desktop to the door, improving the overall security posture while consolidating physical and IT security.

Charting a Course

Hospitals have a variety of tools for achieving a strong and versatile PACS solution while also solving strong authentication challenges for information security and patient information privacy. Increasingly, the healthcare industry is moving toward converged solutions that can be used to secure access to everything from the hospital’s doors to its computers, data, applications, and cloud-based services, while tying smart hospitals to the IoT.

Truly converged access control will ultimately consist of a single security policy, one credential, and one audit log. The goal is a fully interoperable, multi-layered security infrastructure that is based on a flexible and adaptable platform. Such a platform will enable hospital administrators to preserve their investments as they grow, evolve, and continually improve their security capabilities in the face of ever-changing threats. The healthcare industry will deliver an improved patient experience, more comprehensive security view, and more coordinated approach to protecting privacy while controlling access to patient data, electronic prescriptions, equipment, and facilities.

About the Author: Sheila K. Loy is Director Healthcare Solutions Identity & Access Management, North America at HID Global.