Market Focus: Healthcare Security

April 8, 2022
The Security Business expert integrator panel helps make sense of this complex, highly regulated business market segment

This article originally appeared as the cover story in the April 2022 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.


Healthcare, which includes both hospitals and their associated facilities, present security challenges unmatched by other industries; in fact, large medical centers are often compared to small cities, with various applications such as office space, retail and transportation hubs.

On any day, there are hundreds to thousands of patients to protect – from newborn babies to dementia-stricken senior citizens. Security industry veterans will not be surprised to read that healthcare employees are five-times more likely to experience workplace violence than the average U.S. worker. The most recent annual federal statistics show healthcare workers account for 73% of all nonfatal workplace injuries and illnesses due to violence.

On top of that, hackers routinely target hospitals demanding staggering ransomware payments, knowing the facilities cannot halt operations, even temporarily.

While requiring a high level of security, integrators are challenged to maintain a hospital’s welcoming, calming environment – all while virtually every aspect of a medical center falls under strict regulations mandating quality of care, patient satisfaction, cost containment and privacy.

To help make sense of this complex but certainly rewarding business market segment, Security Business convened its exclusive three-member integrator panel to get its perspective on securing healthcare facilities: John Nemerofsky, chief operating officer of SAGE Integration; Mike Ruddo, chief strategy officer for Integrated Security Technologies (IST); and its newest member, Shaun Castillo, president of Preferred Technologies.

Visitor Management

The panel members agree that visitor management is a significant problem facing all hospitals. “You can’t have visitors coming into a facility through multiple entries,” Nemerofsky says. “Lock the doors, leaving one open entry for visitors. Inside, use access control to keep them from getting off elevators into areas where they have no business. Video surveillance can spot visitors in controlled hallways, enabling staff members to guide them back to waiting rooms, cafeterias and other areas where they are permitted.”

Castillo recommends using a visitor management system enabling patients to register online before arriving at the hospital. These systems provide patients with a smartphone QR code that is presented, along with a government-issued ID upon arrival. That eliminates the need to fill out forms on site.

“With visitor management tied to an access control system, we can shorten the in-person processing time,” Castillo says. “There is no need to take a clipboard and spend 10 minutes filling out the same information you filled out during a previous visit. We can use technology to create a better customer experience.”

Ruddo adds that security guards are important to help keep visitors out of diagnostic and treatment rooms, pharmacies and other controlled areas. “The presence of guards also helps prevent violence aimed at employees.”

Danger Zones

Parking lots and garages are among the most dangerous areas of any facility. According to recent FBI statistics, 6% of the nation’s violent crimes occur in parking facilities, topped only by personal residences and sidewalks or alleys.

Ruddo says most hospitals install video cameras and blue-light emergency stations with intercoms to monitor the facilities and enable visitors to quickly contact the security operations center. Signage is also crucial in getting visitors to their destinations.

“Some medical centers are massive, and you want people knowing where to go,” Ruddo says. “Lost and confused people are more likely to be victimized.”

Emergency rooms, often open 24/7, pose another security challenge. The panelists recommend installing analytic cameras on entries to warn the SOC when too many people attempt to enter simultaneously. Locking doors into the exam rooms helps keep gang members from settling scores on events that began on the streets.

Ruddo says IST installs duress systems, using wall buttons and wearable pendants, throughout a healthcare facility enabling employees to quickly reach security if they fear an attack.

Regulations

The healthcare industry is one of the most highly regulated vertical markets. The federal Health Insurance Portability and Accountability (HIPAA) Act of 1996 covers the privacy and security of health records, notifications of data breaches, and patient rights over their information.

The independent Joint Commission on Accreditation of Healthcare Organizations (the Joint Commission) provides accreditation to more than 20,000 U.S. healthcare organizations based on the safety and quality of care, including security. Losing accreditation could result in severe financial hardships for an institution.

Nemerofsky says Joint Commission staff can be comprehensive and picky. “If an integrator ran cable through walls above a false ceiling in a high-rise office building and didn’t close the penetrations, there’d be no problems, as no one would see them,” Nemerofsky says. “But a Joint Commission inspector will find it and require a patch.”

Patient privacy is an integral part of HIPAA regulations. There is a need for well-secured records rooms and nurse and doctor stations

where laptops, even handwritten notes, are found. Castillo says integrators must help their healthcare clients make it clear to the public why data, such as video, is collected. “I think we will get more public buy-in if people know what we are collecting, how we collect and use it, and what we do with it when we don’t need it anymore. As integrators, we need to get better at advising our customers.”

The integrators say many hospitals install cameras in patient rooms with video displayed at nurses’ stations. The live video enables nurses to check patients more frequently without leaving their posts or interrupting a patient’s sleep; however, HIPAA privacy regulations prohibit recording this video.

Cybersecurity

Hospital networks contain detailed private patient data, meaning a successful hack could lead to regulatory fines and lost accreditation. That is why hackers make hospitals a prime target for ransomware attacks, demanding millions of dollars to provide a decryption key. Hospitals are more likely to pay quickly, as a frozen network leads to delays in testing and procedures, more extended patient stays and even potential deaths.

That taps into one of Nemerofsky’s topics – Open Supervised Device Protocol (OSDP), SIA’s new standard for access control installations. Older, non-encrypted technologies easily expose hospitals to hackers. “It is our job to impress upon hospital security directors the importance of running the latest versions of access control or video systems,” Nemerofsky says. “And they must routinely change passwords.”

Recently, many larger hospitals began requiring integrators to carry cybersecurity liability insurance, Ruddo adds. “The security devices you install are plugged into the IT network. If a technician is troubleshooting a problem, they are using a company laptop on the network, which puts [the integrator] at risk,” he explains. “We have one hospital system in northern Virginia that requires $10 million in cyber insurance. It is a new expense in this market.”

Standardization

Mergers and acquisitions are common within the healthcare industry. It is not unusual to find access control systems from multiple

manufacturers within a large healthcare organization.

“It doesn’t matter which manufacturer made the access control systems – bringing data from different systems into the SOC puts a strain on the operators,” Nemerofsky explains. “The goal is to standardize on one system. Hospitals need help from their integrators to create a reasonable migration plan.”

Castillo points out that doctors and staff often have responsibilities at multiple sites, requiring them to carry multiple access credentials. “It is not unusual to see nurses with six or seven badges around their necks. Too many card technologies introduce risk. Condense the credentials so employees can move between facilities, buildings or departments with one card.”

How Security Can Provide Efficiency

Several traditional security tools can help hospitals become more efficient. For example, Nemerofsky says video surveillance helps with COVID-19 contact tracing: “If an employee arrives at work and tests positive for the virus, security can look to see which doors the person touched in the past 24 hours,” he explains. “Other employees immediately following the infected person should be warned to watch for symptoms. And the doors should be sanitized.”

Nemerofsky adds that using cameras to monitor visitor and employee temperatures is not reliable, as the devices require hourly calibration. Also, the technology monitors skin, not body, temperature. He tells a story of a technician walking six blocks to a meeting during a Dallas summer. The outdoor temperature was 106 degrees and by the time he arrived at the hospital, the camera indicated he had a fever. He cooled off in the lobby before arriving late at his meeting.

Castillo says integrators can leverage data from access control or video systems to help hospitals increase their return on investment. “The access system may show that one area is impacted by heavy use while another nearby hospital section is relatively quiet,” he says. “Maybe we can help rearrange things to maximize efficiency.”

All three integrators agree that a handheld biometric scanner accurately authenticates a person’s identity and may be used more often to avoid giving a patient treatments or medications intended for another hospital patient sharing the same name and birthdate.

New Technologies?

Are hospitals open to new technologies? According to the integrators, they are, but to a point. Ruddo says real-time location tracking solutions are used widely for keeping track of newborns and elderly patients in memory care. Touchless, including biometric access control devices, are popular in areas such as an ER.

“If a staff member or a nurse is wheeling a patient between departments, they don’t want to keep presenting their credentials,” Ruddo says. “Touchless technologies are deployed to make it easier to do their jobs without sacrificing security.”

Nemerofsky says many hospitals include video analytics in their security mix. He provides an example of a car being stolen from a hospital campus. “You want to know who stole a blue Honda Civic on Tuesday, somewhere between 1 and 3 p.m. – an analytic can pick up on that,” he says. “As a result, maybe I need one less investigator in my department because now I can do this investigation in minutes instead of hours or days.”

Castillo says that drug cabinets, integrated with the access control system and charting and prescription-writing software, protect against thefts or mistakes. “We can arrange it so that a nurse goes to room XYZ to access a cabinet that distributes only the exact amount of drugs for a specific patient. That’s an opportunity for applying security technology.”

Castillo adds that hospitals generally prefer proven, reliable security products instead of cutting-edge technologies. “This is not a tip-of-the-spear type of industry when it comes to security.”

RMR for Integrators

Hospitals offer many RMR opportunities, including hosted video and access control services, system maintenance and credential management. The latter choice works well for healthcare organizations with regional facilities.

“Traditionally, hospitals were located in central areas, but now community hospitals, part of the same system, are in the suburbs,” Nemerofsky says. “Remote badging for these community sites is a valuable managed service.”

According to Nemerofsky, most visitor management systems are cloud-based, as are weapons and gunshot detection, which he identified as two more RMR possibilities. Managing a hospital’s IoT devices is another hosted service integrators may offer.

Ruddo says most hospitals have strong IT teams, yet there’s a need for embedded staff to handle workstation and software upgrades. “Integrator employees can perform standard repair tasks as well as preventive maintenance to keep systems operating optimally,” he says.

Castillo says hospitals are ripe with RMR opportunities, especially those looking to expense systems vs. making an upfront investment.

“The creative mind can turn anything into an RMR opportunity,” Castillo says. “There are so many systems within a hospital – child abduction systems, you name it. Again, just look at the systems they have and apply a little creativity, see how you can go about making that work.”

Getting Your Foot in the Door

The size and complexity of hospitals may intimidate smaller integrators, stopping them from bidding on healthcare projects. The panel says there are ways to prepare for that first project.

An integrator will need experience dealing with general contractors for new construction, says Ruddo. That requires familiarity with the bid process and having bonding capability – things that may be difficult for many smaller integrators. “When dealing with system upgrades, you have to show you are certified by the manufacturers whose products are being installed,” Ruddo says.

Castillo says large hospital systems prefer hiring well-known integration firms. “There’s a saying that no one was ever fired for hiring IBM.” He recommends smaller integrators take sub-contractor roles to ask questions of veteran integrators with healthcare experience. “Over time, you build the capacity to deliver a job as the lead integrator.”

Nemerofsky recommends integrators new to the vertical join organizations such as the International Association of Healthcare Security and Safety (IAHSS) to learn more about the market and network with members of hospital security teams.

As final advice, Castillo urges integrators taking on a healthcare project to plan carefully. “The cost of failure is extremely high in a healthcare environment. Be prepared if something goes wrong. Have backup supplies and technicians readily available to make things work – fast. There is a high demand for that level of service.”

Jon Daum of security-centric PR firm Daum Weigle (www.daumweigle.com) contributed to the writing of this article.

About the Author

Paul Rothman | Editor-in-Chief/Security Business

Paul Rothman is Editor-in-Chief of Security Business magazine. Email him your comments and questions at [email protected]. Access the current issue, full archives and apply for a free subscription at www.securitybusinessmag.com.