Hospitals getting smarter on credential strategies, lockdowns

Feb. 27, 2014
Smart cards and smart lockdowns are healthy cures for hospital security and safety

Whether it is meeting HIPPA guidelines or assuring patients and staff is protected, hospital facility managers and security professionals are being forced to re-examine their access control procedures and systems. In many cases, their present credentials are inadequate and lockdown procedures are faulty. That’s the bad news. The good news is that with a little knowledge and planning it’s possible to bring safety and security to the proper level. A weaving in of the latest in security solutions and procedures can increase security and safety for patients and staff.

Too many credentials; too little commonality 

It’s not uncommon. A hospital employee might carry a magnetic stripe ID card with two barcodes on her lanyard. In addition, she must remember two different PINs for certain doors, carry several brass keys for others and have a proximity fob in her pocket for the institution’s new wing -- all this just to interact with the variety of secured areas and systems in a normal work day.

However, it would be much more efficient, economical and secure to have the employee simply carry a smart card that works with a variety of applications. It can provide her access to the areas of the hospital for which she is authorized, as well as access to many other hospital applications, making her job easier, adding to her productivity and helping the hospital become more secure using just that single card.

Of course, not only is the credential landscape complicated. When reviewing the typical hospital access control system in use today, in all too many cases, it was installed in stages or has come together as a result of consolidation of hospitals into a single health system. As a result, it is comprised of different brands and disparate products, many of which do not integrate into the same system or talk with each other. Many of today’s hospital security systems require several separate databases and a plethora of software interfaces that can create confusion, lower the level of security within the facility and decrease staff productivity.

In other words, healthcare organizations too frequently depend on independently operated ’silos’ of systems and processes that don’t allow for data to be exchanged among them. This approach can result in duplicated efforts, delayed response times and complicated compliance issues. This is not only true for security-related systems but also for systems running the broader physical environment and, inevitably, systems across the enterprise.

Not only are such scenarios cumbersome for the employees, they drive the physical access control management staff crazy. And as IT departments become more prevalent in access control hardware and software purchases and system management, smart card technology can help facilitate consolidation and standardization activities.

Increase Security and Solve the Credential Problem

Any type of card can be used – magnetic strip, proximity or proprietary smart card. However, hospitals are learning that they get their best return-on-investment (ROI) with open architecture contactless smart credentials. A smart credential’s microchip can store, protect and modify information, and provide many opportunities for information sharing and exchange. Smart cards offer a number of ways to verify an individual, including static and dynamic passwords, digital certificates and private keys, biometrics and photos.

Smart cards may provide hospitals with a superior solution over other card products, increasing the security of data and providing added convenience to the user. And, by also adding open architecture capability to the mix, hospitals can provide secure access for staff to more applications and add value to the many proprietary systems currently in the marketplace without having to go through software and interface tweaks so prevalent with proprietary credentials, including smart cards.

The open architecture design of a smart credential means that it is capable of accepting a customized key for multiple, diversified applications. This lets hospitals add applications on their own terms, expanding as slowly or as quickly as they like. With memory options of 2K, 4K and 8K bytes, hospitals can get the memory they need, without paying for extra memory they don’t.

Not only can they access physical locations, but also the hospital’s computer networks and EMR (logical access). Smartcards can be used to match a healthcare provider with the patient to ensure safety during care. Employees will also find them convenient for payments at the cafeteria or vending machines, to check out scrubs, equipment and tools, for time and attendance, secure printing and other applications.

With the price of smart credentials being comparable to proximity today, the roadblocks for deploying smart credentials during the hospital’s next implementation, even if only for physical access control, are eased.

Caveat – There is More than One Type of Smart Card

To heighten security, ranging from protecting patients themselves to their medical records, hospitals need to use a contactless smart credential that is armed with mutual authentication and encrypted with (Advanced Encryption Standard (AES) 128- bit diversified keys. With such a capability, the card and reader verify that they are authorized to communicate bi-directionally. Additionally, 128-bit keys virtually ensure no one can read or access credential information without authorization.

The technology behind AES has been approved by the NSA (National Security Agency) for classified information. A message authentication code (MAC) further protects each transaction between the credential and the reader. This security feature ensures complete and unmodified transfer of information, helping to protect data integrity and prevent outside access,

If implemented, hospitals should use an open solution smart credential, one also built to adhere to ISO 14443, a four-part international standard for contactless smart credentials. This results in faster data transfer between credential and reader, up to 848 kbps baud rate (1K baud = 1,000 bits of data per second). ISO 14443 technology, the same standard used by the U.S. government, is especially recommended for hospitals applications requiring large amounts of data such as biometric templates to be used at pharmacies and other high security locations.

 The secure access solutions available with open system smart credentials have several ROI implications. For example, when a smart card program is introduced, it immediately solves the problem of (forgotten) passwords for network access, a nemesis for both users and administrators. Hospitals will reduce overhead costs simply by not having to administer passwords. Or, for added security, using a smart card along with a password adds the protection of dual authentication to sensitive systems.

Also, the roll-out of smart credential solutions for physical access control is typically done in tandem with the implementation of card management systems that involve card issuance, personalization, access rights, management and post-issuance.  This, along with having only one card to purchase and manage simplifies the management processes, making them more cost-effective and efficient.

Using Smart Phones like Smart Cards

As Near Field Communications (NFC) technology is now being added to a growing number of mobile handsets to enable access control as well as many other applications, more and more organizations, including healthcare centers, are considering joining the “bring your own device” (BYOD) trend and having their users deploy their own smart phones and their access control credentials. It is projected that over 285 million NFC-enabled smart phones were expected to be sold in 2013 and over half the phones sold in 2015 will be NFC-capable.

NFC provides simplified transactions, data exchange and wireless connections between two devices that are in close proximity to each other, usually by no more than a few inches. A web-based credential management system allows NFC-enabled smart phones to grant access to buildings and various rooms as well as partake of other badge ID applications just like smart cards.

To turn NFC-enabled smart phones into an access control credential, allowing people to use their smart phones to enter buildings in the same way they present a badge ID, users simply download the app to their smart phone. Then, their access control administrator uses the cloud service to send a secure mobile credential directly to the user’s phone. Once the mobile credential is downloaded, users open the app and tap their smart phone to the reader in the same way they use an ID card. For many employees, including visiting doctors, this is much easier than searching for a card.

Those not able to make an upgrade today to a smart credential solution may want to consider incorporating multi-technology readers that read magnetic stripe and proximity cards as well as smart cards (and smart phones!) concurrently so that, when the switch to smart credentials comes about, they will not have to tear out and re-install readers.

Increasing Security by Updating Lockdown Capabilities

Violence in healthcare environments is on the rise.  Whether it’s an active shooter situation, a domestic incident spilling over into the emergency department, or patient/family violence against staff members, lockdown procedures can help contain and control the situation and keep other patients and staff from being put in harm’s way.

Some recent advances in facility security have been shown to go a long way in helping to maintain perimeter access and control intra-facility movement during an emergency. First of all, an access control system with strategically placed readers and electronic locking solutions has become an increasingly popular way to enable the instantaneous lockdown of a facility in the case of an emergency.

 Secondly, what makes an access control system so helpful in emergency situations is the ease by which administrators can deny access to the perimeter or any intra-facility area, thereby giving the administrator autonomy in regards to traffic flow during an emergency situation. When implemented correctly, the access control software provides a simple way to centrally manage user authorization and door status within a facility.

Also, by incorporating your credential strategies into your lockdown plan, this control not only pertains to staff members, but can also create a path to effectively manage vendors, contractors, volunteers and visitors during an emergency.

Using Technology to Increase Control

A hospital, by nature, needs to balance an open and inviting atmosphere with a sophisticated level of security. Ensuring the safety of patients and staff and protecting of patient records rank high on every organization’s list of priorities. Using the right technology can make this balance easier to maintain. Increasing the number of electronic access controlled openings cannot only help in day-to-day operations, but also aide in the event of an emergency.

During new construction or major remodeling, hospitals can plan for and implement hardwired electronic locks and readers that are connected to the network for easy centralized management. When managed from a central location, resulting lockdowns are fast and effective.   

As an alternative to hardwired locks, a wireless electronic locking system, extremely popular in hospitals during retrofits, provides flexibility and simplicity of installation with the same enhanced security and lockdown capabilities of a hardwired system. Wireless access control system installation is fast and easy with minimal disruption to patient care areas and can easily be integrated with other electronic hardware for an integrated life safety and security solution. 

 One lockdown issue with some wireless technologies, such as WiFi, has been the potential for communications delay from the head-end system. With many wireless solutions, access control decisions are downloaded by the host into the lock only 5-6 times per day. Access control decisions are managed within the locks (as is the case with traditional offline locks) to minimize communication from the lock to the host and conserve batteries. However, such limited (not real-time) connectivity with the host limits the locks’ ability to receive urgent commands from the host.     

There can also be issues with legacy 900 MHz wireless technology platforms. Oftentimes, a command to immediately lock down could be ignored by the lock for up to 10 minutes or more. However, with newer modular wireless locks using 900MHz, a patent-pending “wake up on radio” feature works in parallel with the 10-minute heartbeat. Without waking up the entire lock or reducing battery life, it listens for complementary commands every one to 10 seconds and then responds. Thus, it can be programmed  for 10 seconds is the longest it will take to initiate lockdown.

Healthcare security professionals can also choose the specific electronic lock they need knowing that it can be later upgraded without taking it off the door. Some new electronic locks provide options to truly customize the access control solution, quickly migrate to meet future needs and provide seamless integration with current software now and later, and provide a lower cost of ownership. 

There are now more options than ever to install electronic hardware that meets the credential and network requirements of a hospital’s current system. If an access control system is already in place, but does not control all of the openings required to be effective in the case of emergency, there are a number of open architecture solutions that are compatible with most of today’s access control systems. These can easily integrate into a legacy system, increasing security on more openings in the facility.

Control Access Smartly

As part of the overall security and emergency planning, using advanced design strategies, innovative hardware and careful management of personal access, healthcare facilities can better control the access its inhabitants have in and around the building as well as protect its assets.

By emphasizing planning, practice, education and the latest in security hardware, lockdown times can be drastically cut, even in large hospitals. A reduction  in lockdown time signifies an improvement in emergency preparedness. It also assures that perimeter access and intra-facility access has been optimized for both performance and security.

When there is an influx of patients or others, it is imperative to control where they have access. Hospitals must protect patient privacy, both their rooms and their records. To do so, most will probably have to increase the number of electronic access controlled openings for better control and use credentials that facilitate security.

About the Author:

Ann Geissler Timme is Allegion’s Healthcare Marketing Manager. She can be contacted at [email protected].